* [PATCH] Complete the names-to-numbers conversion in nd_syscalls.stp.
@ 2009-05-17 19:09 Przemyslaw Pawelczyk
2009-05-18 4:49 ` Ananth N Mavinakayanahalli
2009-05-18 23:56 ` Josh Stone
0 siblings, 2 replies; 6+ messages in thread
From: Przemyslaw Pawelczyk @ 2009-05-17 19:09 UTC (permalink / raw)
To: systemtap
Replace in-scope variables references with *_arg functions. Use 'kprobe'
family of probes instead of 'kernel' family for dwarfless probing. Also
fix a few typos and unify formatting.
---
tapset/nd_syscalls.stp | 2691 ++++++++++++++++++++++++++++++------------------
1 files changed, 1711 insertions(+), 980 deletions(-)
diff --git a/tapset/nd_syscalls.stp b/tapset/nd_syscalls.stp
index a0e5286..32c3640 100644
--- a/tapset/nd_syscalls.stp
+++ b/tapset/nd_syscalls.stp
@@ -12,9 +12,6 @@
* nd_syscalls.stp is a copy of syscalls.stp, modified to refer to
* function arguments by number rather than name, so that this tapset
* can be used even when the probed kernel lacks debugging information.
- *
- * So far, the names-to-numbers conversion covers only syscall.a*
- * through syscall.c*, plus a few others.
*/
@@ -37,7 +34,8 @@
# accept _____________________________________________________
# long sys_accept(int fd, struct sockaddr __user *upeer_sockaddr,
# int __user *upeer_addrlen)
-probe nd_syscall.accept = kernel.function("sys_accept") ? {
+probe nd_syscall.accept = kprobe.function("sys_accept") ?
+{
name = "accept"
// sockfd = $fd
// addr_uaddr = $upeer_sockaddr
@@ -49,14 +47,16 @@ probe nd_syscall.accept = kernel.function("sys_accept") ? {
addrlen_uaddr = pointer_arg(3)
argstr = sprintf("%d, %p, %p", sockfd, addr_uaddr, addrlen_uaddr)
}
-probe nd_syscall.accept.return = kernel.function("sys_accept").return ? {
+probe nd_syscall.accept.return = kprobe.function("sys_accept").return ?
+{
name = "accept"
retstr = returnstr(1)
}
# access _____________________________________________________
# long sys_access(const char __user * filename, int mode)
-probe nd_syscall.access = kernel.function("sys_access") {
+probe nd_syscall.access = kprobe.function("sys_access")
+{
name = "access"
// pathname = user_string($filename)
// mode = $mode
@@ -68,22 +68,25 @@ probe nd_syscall.access = kernel.function("sys_access") {
mode_str = _access_mode_str(mode)
argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), mode_str)
}
-probe nd_syscall.access.return = kernel.function("sys_access").return {
+probe nd_syscall.access.return = kprobe.function("sys_access").return
+{
name = "access"
retstr = returnstr(1)
}
# acct _______________________________________________________
# long sys_acct(const char __user *name)
-probe nd_syscall.acct = kernel.function("sys_acct") ? {
+probe nd_syscall.acct = kprobe.function("sys_acct") ?
+{
name = "acct"
- // filename = user_string($name)
+ // filename = user_string($name)
// argstr = user_string_quoted($name)
asmlinkage()
filename = user_string(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
}
-probe nd_syscall.acct.return = kernel.function("sys_acct").return ? {
+probe nd_syscall.acct.return = kprobe.function("sys_acct").return ?
+{
name = "acct"
retstr = returnstr(1)
}
@@ -95,7 +98,8 @@ probe nd_syscall.acct.return = kernel.function("sys_acct").return ? {
# size_t plen,
# key_serial_t ringid)
#
-probe nd_syscall.add_key = kernel.function("sys_add_key") ? {
+probe nd_syscall.add_key = kprobe.function("sys_add_key") ?
+{
name = "add_key"
// type_uaddr = $_type
// description_auddr = $_description
@@ -105,7 +109,7 @@ probe nd_syscall.add_key = kernel.function("sys_add_key") ? {
// argstr = sprintf("%s, %s, %s, %d, %d",
// user_string_quoted($_type),
// user_string_quoted($_description),
- // text_strn(user_string($_payload),syscall_string_trunc,1),
+ // text_strn(user_string($_payload), syscall_string_trunc, 1),
// $plen, $ringid)
asmlinkage()
type_uaddr = pointer_arg(1)
@@ -116,49 +120,54 @@ probe nd_syscall.add_key = kernel.function("sys_add_key") ? {
argstr = sprintf("%s, %s, %s, %d, %d",
user_string_quoted(type_uaddr),
user_string_quoted(description_uaddr),
- text_strn(user_string(payload_uaddr),syscall_string_trunc,1),
+ text_strn(user_string(payload_uaddr), syscall_string_trunc, 1),
plen, ringid)
}
-probe nd_syscall.add_key.return = kernel.function("sys_add_key").return ? {
+probe nd_syscall.add_key.return = kprobe.function("sys_add_key").return ?
+{
name = "add_key"
retstr = returnstr(1)
}
# adjtimex ___________________________________________________
# long sys_adjtimex(struct timex __user *txc_p)
-probe nd_syscall.adjtimex = kernel.function("sys_adjtimex") {
+probe nd_syscall.adjtimex = kprobe.function("sys_adjtimex")
+{
name = "adjtimex"
/*
- * buf_offset = __uget_timex_m($txc_p,1)
- * buf_freq = __uget_timex_m($txc_p,2)
- * buf_maxerror = __uget_timex_m($txc_p,3)
- * buf_esterror = __uget_timex_m($txc_p,4)
- * buf_status = __uget_timex_m($txc_p,5)
- * buf_constant = __uget_timex_m($txc_p,6)
- * buf_precision = __uget_timex_m($txc_p,7)
- * buf_tolerance = __uget_timex_m($txc_p,8)
- * buf_time_tv_sec = __uget_timex_m($txc_p,9)
- * buf_time_tv_usec = __uget_timex_m($txc_p,10)
- * buf_tick = __uget_timex_m($txc_p,11)
+ * buf_offset = __uget_timex_m($txc_p, 1)
+ * buf_freq = __uget_timex_m($txc_p, 2)
+ * buf_maxerror = __uget_timex_m($txc_p, 3)
+ * buf_esterror = __uget_timex_m($txc_p, 4)
+ * buf_status = __uget_timex_m($txc_p, 5)
+ * buf_constant = __uget_timex_m($txc_p, 6)
+ * buf_precision = __uget_timex_m($txc_p, 7)
+ * buf_tolerance = __uget_timex_m($txc_p, 8)
+ * buf_time_tv_sec = __uget_timex_m($txc_p, 9)
+ * buf_time_tv_usec = __uget_timex_m($txc_p, 10)
+ * buf_tick = __uget_timex_m($txc_p, 11)
*/
// argstr = sprintf("%p", $txc_p)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
-probe nd_syscall.adjtimex.return = kernel.function("sys_adjtimex").return {
+probe nd_syscall.adjtimex.return = kprobe.function("sys_adjtimex").return
+{
name = "adjtimex"
// retstr = _adjtimex_return_str($return)
retstr = _adjtimex_return_str(returnval())
}
# long compat_sys_adjtimex(struct compat_timex __user *utp)
-probe nd_syscall.compat_adjtimex = kernel.function("compat_sys_adjtimex") ? {
+probe nd_syscall.compat_adjtimex = kprobe.function("compat_sys_adjtimex") ?
+{
name = "compat_adjtimex"
// argstr = sprintf("%p", $utp)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
-probe nd_syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex").return ? {
+probe nd_syscall.compat_adjtimex.return = kprobe.function("compat_sys_adjtimex").return ?
+{
name = "compat_adjtimex"
retstr = returnstr(1)
}
@@ -167,9 +176,8 @@ probe nd_syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex")
# unsigned long sys_alarm (unsigned int seconds)
# long sys32_alarm(unsigned int seconds)
#
-probe nd_syscall.alarm =
- kernel.function("sys_alarm") ?,
- kernel.function("sys32_alarm") ?
+probe nd_syscall.alarm = kprobe.function("sys_alarm") ?,
+ kprobe.function("sys32_alarm") ?
{
name = "alarm"
// seconds = $seconds
@@ -178,62 +186,64 @@ probe nd_syscall.alarm =
seconds = uint_arg(1)
argstr = sprint(seconds)
}
-probe nd_syscall.alarm.return =
- kernel.function("sys_alarm").return ?,
- kernel.function("sys32_alarm").return ?
+probe nd_syscall.alarm.return = kprobe.function("sys_alarm").return ?,
+ kprobe.function("sys32_alarm").return ?
{
name = "alarm"
retstr = returnstr(1)
}
# bdflush ____________________________________________________
-# long sys_bdflush(int func,long data)
-probe nd_syscall.bdflush = kernel.function("sys_bdflush") ? {
+# long sys_bdflush(int func, long data)
+probe nd_syscall.bdflush = kprobe.function("sys_bdflush") ?
+{
name = "bdflush"
// func = $func
// data = $data
- // if (($func>=2)&&($func%2==0))
- // data_str = sprintf("%p", $data)
- // else
- // data_str = sprintf("%d", $data)
+ // if (($func>=2)&&($func%2==0))
+ // data_str = sprintf("%p", $data)
+ // else
+ // data_str = sprintf("%d", $data)
asmlinkage()
func = int_arg(1)
data = long_arg(2)
- if ((func>=2)&&(func%2==0))
- data_str = sprintf("%p", data)
- else
- data_str = sprintf("%d", data)
- argstr = sprintf("%d, %s",func, data_str)
+ if ((func>=2)&&(func%2==0))
+ data_str = sprintf("%p", data)
+ else
+ data_str = sprintf("%d", data)
+ argstr = sprintf("%d, %s", func, data_str)
}
-probe nd_syscall.bdflush.return = kernel.function("sys_bdflush").return ? {
+probe nd_syscall.bdflush.return = kprobe.function("sys_bdflush").return ?
+{
name = "bdflush"
retstr = returnstr(1)
}
# bind _______________________________________________________
# long sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen)
-probe nd_syscall.bind = kernel.function("sys_bind") ? {
+probe nd_syscall.bind = kprobe.function("sys_bind") ?
+{
name = "bind"
// sockfd = $fd
// my_addr_uaddr = $umyaddr
// addrlen = $addrlen
- // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr,$addrlen),$addrlen)
+ // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr, $addrlen), $addrlen)
asmlinkage()
sockfd = int_arg(1)
my_addr_uaddr = pointer_arg(2)
addrlen = int_arg(3)
- argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(my_addr_uaddr,addrlen),addrlen)
+ argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(my_addr_uaddr, addrlen), addrlen)
}
-probe nd_syscall.bind.return = kernel.function("sys_bind").return ? {
+probe nd_syscall.bind.return = kprobe.function("sys_bind").return ?
+{
name = "bind"
retstr = returnstr(1)
}
# brk ________________________________________________________
# unsigned long sys_brk(unsigned long brk)
-probe nd_syscall.brk =
- kernel.function("sys_brk"),
- kernel.function("ia64_brk") ?
+probe nd_syscall.brk = kprobe.function("sys_brk"),
+ kprobe.function("ia64_brk") ?
{
name = "brk"
// brk = $brk
@@ -241,9 +251,8 @@ probe nd_syscall.brk =
brk = ulong_arg(1)
argstr = sprintf("%p", brk)
}
-probe nd_syscall.brk.return =
- kernel.function("sys_brk").return,
- kernel.function("ia64_brk").return ?
+probe nd_syscall.brk.return = kprobe.function("sys_brk").return,
+ kprobe.function("ia64_brk").return ?
{
name = "brk"
retstr = returnstr(1)
@@ -262,7 +271,8 @@ probe nd_syscall.brk.return =
* functions to export.
*/
# long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
-probe nd_syscall.capget = kernel.function("sys_capget") {
+probe nd_syscall.capget = kprobe.function("sys_capget")
+{
name = "capget"
// header_uaddr = $header
// data_uaddr = $dataptr
@@ -272,7 +282,8 @@ probe nd_syscall.capget = kernel.function("sys_capget") {
data_uaddr = pointer_arg(2)
argstr = sprintf("%p, %p", header_uaddr, data_uaddr)
}
-probe nd_syscall.capget.return = kernel.function("sys_capget").return {
+probe nd_syscall.capget.return = kprobe.function("sys_capget").return
+{
name = "capget"
retstr = returnstr(1)
}
@@ -289,7 +300,8 @@ probe nd_syscall.capget.return = kernel.function("sys_capget").return {
* functions to export.
*/
# long sys_capset(cap_user_header_t header, const cap_user_data_t data)
-probe nd_syscall.capset = kernel.function("sys_capset") {
+probe nd_syscall.capset = kprobe.function("sys_capset")
+{
name = "capset"
// header_uaddr = $header
// data_uaddr = $data
@@ -299,14 +311,16 @@ probe nd_syscall.capset = kernel.function("sys_capset") {
data_uaddr = pointer_arg(2)
argstr = sprintf("%p, %p", header_uaddr, data_uaddr)
}
-probe nd_syscall.capset.return = kernel.function("sys_capset").return {
+probe nd_syscall.capset.return = kprobe.function("sys_capset").return
+{
name = "capset"
retstr = returnstr(1)
}
# chdir ______________________________________________________
# long sys_chdir(const char __user * filename)
-probe nd_syscall.chdir = kernel.function("sys_chdir") {
+probe nd_syscall.chdir = kprobe.function("sys_chdir")
+{
name = "chdir"
// path = user_string($filename)
// argstr = user_string_quoted($filename)
@@ -314,14 +328,16 @@ probe nd_syscall.chdir = kernel.function("sys_chdir") {
path = user_string(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
}
-probe nd_syscall.chdir.return = kernel.function("sys_chdir").return {
+probe nd_syscall.chdir.return = kprobe.function("sys_chdir").return
+{
name = "chdir"
retstr = returnstr(1)
}
# chmod ______________________________________________________
# long sys_chmod(const char __user * filename, mode_t mode)
-probe nd_syscall.chmod = kernel.function("sys_chmod") {
+probe nd_syscall.chmod = kprobe.function("sys_chmod")
+{
name = "chmod"
// path = user_string($filename)
// mode = $mode
@@ -331,26 +347,29 @@ probe nd_syscall.chmod = kernel.function("sys_chmod") {
mode = uint_arg(2)
argstr = sprintf("%s, %#o", user_string_quoted(pointer_arg(1)), mode)
}
-probe nd_syscall.chmod.return = kernel.function("sys_chmod").return {
+probe nd_syscall.chmod.return = kprobe.function("sys_chmod").return
+{
name = "chmod"
retstr = returnstr(1)
}
# chown ______________________________________________________
# long sys_chown(const char __user * filename, uid_t user, gid_t group)
-probe nd_syscall.chown = kernel.function("sys_chown") {
+probe nd_syscall.chown = kprobe.function("sys_chown")
+{
name = "chown"
// path = user_string($filename)
// owner = __int32($user)
// group = __int32($group)
- // argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group)
+ // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
asmlinkage()
path = user_string(pointer_arg(1))
owner = __int32(uint_arg(2))
group = __int32(uint_arg(3))
- argstr = sprintf("%s, %d, %d",user_string_quoted(pointer_arg(1)), owner, group)
+ argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
-probe nd_syscall.chown.return = kernel.function("sys_chown").return {
+probe nd_syscall.chown.return = kprobe.function("sys_chown").return
+{
name = "chown"
retstr = returnstr(1)
}
@@ -358,7 +377,8 @@ probe nd_syscall.chown.return = kernel.function("sys_chown").return {
# long sys_chown16(const char __user * filename, old_uid_t user,
# old_gid_t group)
#
-probe nd_syscall.chown16 = kernel.function("sys_chown16") ? {
+probe nd_syscall.chown16 = kprobe.function("sys_chown16") ?
+{
name = "chown16"
// path = user_string($filename)
// owner = __short($user)
@@ -370,14 +390,16 @@ probe nd_syscall.chown16 = kernel.function("sys_chown16") ? {
group = __short(uint_arg(3))
argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
-probe nd_syscall.chown16.return = kernel.function("sys_chown16").return ? {
+probe nd_syscall.chown16.return = kprobe.function("sys_chown16").return ?
+{
name = "chown16"
retstr = returnstr(1)
}
# chroot _____________________________________________________
# long sys_chroot(const char __user * filename)
-probe nd_syscall.chroot = kernel.function("sys_chroot") {
+probe nd_syscall.chroot = kprobe.function("sys_chroot")
+{
name = "chroot"
// path = user_string($filename)
// argstr = user_string_quoted($filename)
@@ -385,7 +407,8 @@ probe nd_syscall.chroot = kernel.function("sys_chroot") {
path = user_string(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
}
-probe nd_syscall.chroot.return = kernel.function("sys_chroot").return {
+probe nd_syscall.chroot.return = kprobe.function("sys_chroot").return
+{
name = "chroot"
retstr = returnstr(1)
}
@@ -394,9 +417,8 @@ probe nd_syscall.chroot.return = kernel.function("sys_chroot").return {
# long sys_clock_getres(clockid_t which_clock, struct timespec __user *tp)
# long compat_clock_getres(clockid_t which_clock, struct compat_timespec __user *tp)
#
-probe nd_syscall.clock_getres =
- kernel.function("sys_clock_getres"),
- kernel.function("compat_clock_getres") ?
+probe nd_syscall.clock_getres = kprobe.function("sys_clock_getres"),
+ kprobe.function("compat_clock_getres") ?
{
name = "clock_getres"
// clk_id = $which_clock
@@ -409,9 +431,8 @@ probe nd_syscall.clock_getres =
res_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", clk_id_str, res_uaddr)
}
-probe nd_syscall.clock_getres.return =
- kernel.function("sys_clock_getres").return,
- kernel.function("compat_clock_getres").return ?
+probe nd_syscall.clock_getres.return = kprobe.function("sys_clock_getres").return,
+ kprobe.function("compat_clock_getres").return ?
{
name = "clock_getres"
retstr = returnstr(1)
@@ -420,8 +441,7 @@ probe nd_syscall.clock_getres.return =
# clock_gettime ______________________________________________
# long sys_clock_gettime(clockid_t which_clock, struct timespec __user *tp)
#
-probe nd_syscall.clock_gettime =
- kernel.function("sys_clock_gettime")
+probe nd_syscall.clock_gettime = kprobe.function("sys_clock_gettime")
{
name = "clock_gettime"
// clk_id = $which_clock
@@ -432,7 +452,7 @@ probe nd_syscall.clock_gettime =
clk_id_str = _get_wc_str(clk_id)
argstr = sprintf("%s, %p", clk_id_str, pointer_arg(2))
}
-probe nd_syscall.clock_gettime.return = kernel.function("sys_clock_gettime").return
+probe nd_syscall.clock_gettime.return = kprobe.function("sys_clock_gettime").return
{
name = "clock_gettime"
retstr = returnstr(1)
@@ -444,14 +464,15 @@ probe nd_syscall.clock_gettime.return = kernel.function("sys_clock_gettime").ret
# const struct timespec __user *rqtp,
# struct timespec __user *rmtp)
#
-probe nd_syscall.clock_nanosleep = kernel.function("sys_clock_nanosleep") {
+probe nd_syscall.clock_nanosleep = kprobe.function("sys_clock_nanosleep")
+{
name = "clock_nanosleep"
// if ($flags == 1)
// flag_str = "TIMER_ABSTIME"
// else
// flag_str = sprintf("0x%x", $flags)
// argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
- // _struct_timespec_u($rqtp,1), $rmtp)
+ // _struct_timespec_u($rqtp, 1), $rmtp)
asmlinkage()
flags = int_arg(2)
if (flags == 1)
@@ -459,9 +480,10 @@ probe nd_syscall.clock_nanosleep = kernel.function("sys_clock_nanosleep") {
else
flag_str = sprintf("0x%x", flags)
argstr = sprintf("%s, %s, %s, %p", _get_wc_str(int_arg(1)), flag_str,
- _struct_timespec_u(pointer_arg(3),1), pointer_arg(4))
+ _struct_timespec_u(pointer_arg(3), 1), pointer_arg(4))
}
-probe nd_syscall.clock_nanosleep.return = kernel.function("sys_clock_nanosleep").return {
+probe nd_syscall.clock_nanosleep.return = kprobe.function("sys_clock_nanosleep").return
+{
name = "clock_nanosleep"
retstr = returnstr(1)
}
@@ -471,9 +493,8 @@ probe nd_syscall.clock_nanosleep.return = kernel.function("sys_clock_nanosleep")
# struct compat_timespec __user *rqtp,
# struct compat_timespec __user *rmtp)
#
-probe nd_syscall.compat_clock_nanosleep =
- kernel.function("compat_clock_nanosleep") ?,
- kernel.function("compat_sys_clock_nanosleep") ?
+probe nd_syscall.compat_clock_nanosleep = kprobe.function("compat_clock_nanosleep") ?,
+ kprobe.function("compat_sys_clock_nanosleep") ?
{
name = "compat_clock_nanosleep"
// if ($flags == 1)
@@ -481,7 +502,7 @@ probe nd_syscall.compat_clock_nanosleep =
// else
// flag_str = sprintf("0x%x", $flags)
// argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
- // _struct_compat_timespec_u($rqtp,1), $rmtp)
+ // _struct_compat_timespec_u($rqtp, 1), $rmtp)
asmlinkage()
flags = int_arg(2)
if (flags == 1)
@@ -489,12 +510,11 @@ probe nd_syscall.compat_clock_nanosleep =
else
flag_str = sprintf("0x%x", flags)
argstr = sprintf("%s, %s, %s, %p", _get_wc_str(int_arg(1)), flag_str,
- _struct_compat_timespec_u(pointer_arg(3),1),
+ _struct_compat_timespec_u(pointer_arg(3), 1),
pointer_arg(4))
}
-probe nd_syscall.compat_clock_nanosleep.return =
- kernel.function("compat_clock_nanosleep").return ?,
- kernel.function("compat_sys_clock_nanosleep").return ?
+probe nd_syscall.compat_clock_nanosleep.return = kprobe.function("compat_clock_nanosleep").return ?,
+ kprobe.function("compat_sys_clock_nanosleep").return ?
{
name = "compat_clock_nanosleep"
retstr = returnstr(1)
@@ -504,68 +524,75 @@ probe nd_syscall.compat_clock_nanosleep.return =
# long sys_clock_settime(clockid_t which_clock,
# const struct timespec __user *tp)
#
-probe nd_syscall.clock_settime = kernel.function("sys_clock_settime") {
+probe nd_syscall.clock_settime = kprobe.function("sys_clock_settime")
+{
name = "clock_settime"
// clk_id = $which_clock
// clk_id_str = _get_wc_str($which_clock)
// tp_uaddr = $tp
- // argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp,1))
+ // argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp, 1))
asmlinkage()
clk_id = int_arg(1)
clk_id_str = _get_wc_str(clk_id)
tp_uaddr = pointer_arg(2)
- argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u(tp_uaddr,1))
+ argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u(tp_uaddr, 1))
}
-probe nd_syscall.clock_settime.return = kernel.function("sys_clock_settime").return {
+probe nd_syscall.clock_settime.return = kprobe.function("sys_clock_settime").return
+{
name = "clock_settime"
retstr = returnstr(1)
}
# close ______________________________________________________
# long sys_close(unsigned int fd)
-probe nd_syscall.close = kernel.function("sys_close") {
+probe nd_syscall.close = kprobe.function("sys_close")
+{
name = "close"
// fd = $fd
asmlinkage()
fd = int_arg(1)
argstr = sprint(fd)
}
-probe nd_syscall.close.return = kernel.function("sys_close").return {
+probe nd_syscall.close.return = kprobe.function("sys_close").return
+{
name = "close"
retstr = returnstr(1)
}
# connect ____________________________________________________
# long sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen)
-probe nd_syscall.connect = kernel.function("sys_connect") ? {
+probe nd_syscall.connect = kprobe.function("sys_connect") ?
+{
name = "connect"
// sockfd = $fd
// serv_addr_uaddr = $uservaddr
// addrlen = $addrlen
- // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr,$addrlen),$addrlen)
+ // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr, $addrlen), $addrlen)
asmlinkage()
sockfd = int_arg(1)
serv_addr_uaddr = pointer_arg(2)
addrlen = int_arg(3)
- argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(serv_addr_uaddr,addrlen),addrlen)
+ argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(serv_addr_uaddr, addrlen), addrlen)
}
-probe nd_syscall.connect.return = kernel.function("sys_connect").return ? {
+probe nd_syscall.connect.return = kprobe.function("sys_connect").return ?
+{
name = "connect"
retstr = returnstr(1)
}
# creat
# long sys_creat(const char __user * pathname, int mode)
-probe nd_syscall.creat = kernel.function("sys_creat") ?
+probe nd_syscall.creat = kprobe.function("sys_creat") ?
{
name = "creat"
// mode = $mode
// pathname = user_string($pathname)
// argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
+ asmlinkage()
mode = int_arg(2)
pathname = user_string(pointer_arg(1))
argstr = sprintf("%s, %#o", user_string_quoted(pointer_arg(1)), mode)
}
-probe nd_syscall.creat.return = kernel.function("sys_creat").return ?
+probe nd_syscall.creat.return = kprobe.function("sys_creat").return ?
{
name = "creat"
retstr = returnstr(1)
@@ -573,20 +600,27 @@ probe nd_syscall.creat.return = kernel.function("sys_creat").return ?
# delete_module ______________________________________________
# long sys_delete_module(const char __user *name_user, unsigned int flags)
-probe nd_syscall.delete_module = kernel.function("sys_delete_module") ? {
+probe nd_syscall.delete_module = kprobe.function("sys_delete_module") ?
+{
name = "delete_module"
- name_user = user_string($name_user)
- flags = $flags
- argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags))
+ // name_user = user_string($name_user)
+ // flags = $flags
+ // argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags))
+ asmlinkage()
+ name_user = user_string(pointer_arg(1))
+ flags = uint_arg(2)
+ argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), _module_flags_str(uint_arg(2)))
}
-probe nd_syscall.delete_module.return = kernel.function("sys_delete_module").return ? {
+probe nd_syscall.delete_module.return = kprobe.function("sys_delete_module").return ?
+{
name = "delete_module"
retstr = returnstr(1)
}
# dup ________________________________________________________
# long sys_dup(unsigned int fildes)
-probe nd_syscall.dup = kernel.function("sys_dup") {
+probe nd_syscall.dup = kprobe.function("sys_dup")
+{
name = "dup"
// oldfd = $fildes
// argstr = sprint($fildes)
@@ -594,32 +628,44 @@ probe nd_syscall.dup = kernel.function("sys_dup") {
old_fd = int_arg(1)
argstr = sprint(old_fd)
}
-probe nd_syscall.dup.return = kernel.function("sys_dup").return {
+probe nd_syscall.dup.return = kprobe.function("sys_dup").return
+{
name = "dup"
retstr = returnstr(1)
}
# dup2 _______________________________________________________
# long sys_dup2(unsigned int oldfd, unsigned int newfd)
-probe nd_syscall.dup2 = kernel.function("sys_dup2") {
+probe nd_syscall.dup2 = kprobe.function("sys_dup2")
+{
name = "dup2"
- oldfd = $oldfd
- newfd = $newfd
- argstr = sprintf("%d, %d", $oldfd, $newfd)
+ // oldfd = $oldfd
+ // newfd = $newfd
+ // argstr = sprintf("%d, %d", $oldfd, $newfd)
+ asmlinkage()
+ oldfd = int_arg(1)
+ newfd = int_arg(2)
+ argstr = sprintf("%d, %d", oldfd, newfd)
}
-probe nd_syscall.dup2.return = kernel.function("sys_dup2").return {
+probe nd_syscall.dup2.return = kprobe.function("sys_dup2").return
+{
name = "dup2"
retstr = returnstr(1)
}
# epoll_create _______________________________________________
# long sys_epoll_create(int size)
-probe nd_syscall.epoll_create = kernel.function("sys_epoll_create") ? {
+probe nd_syscall.epoll_create = kprobe.function("sys_epoll_create") ?
+{
name = "epoll_create"
- size = $size
- argstr = sprint($size)
+ // size = $size
+ // argstr = sprint($size)
+ asmlinkage()
+ size = int_arg(1)
+ argstr = sprint(size)
}
-probe nd_syscall.epoll_create.return = kernel.function("sys_epoll_create").return ? {
+probe nd_syscall.epoll_create.return = kprobe.function("sys_epoll_create").return ?
+{
name = "epoll_create"
retstr = returnstr(1)
}
@@ -630,21 +676,26 @@ probe nd_syscall.epoll_create.return = kernel.function("sys_epoll_create").retur
# long compat_sys_epoll_ctl(int epfd, int op, int fd,
# struct compat_epoll_event __user *event)
#
-probe nd_syscall.epoll_ctl =
- kernel.function("sys_epoll_ctl") ?,
- kernel.function("compat_sys_epoll_ctl") ?
+probe nd_syscall.epoll_ctl = kprobe.function("sys_epoll_ctl") ?,
+ kprobe.function("compat_sys_epoll_ctl") ?
{
name = "epoll_ctl"
- epfd = $epfd
- op = $op
- op_str = _opoll_op_str($op)
- fd = $fd
- event_uaddr = $event
- argstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event)
+ // epfd = $epfd
+ // eop = $op
+ // eop_str = _opoll_op_str($op)
+ // efd = $fd
+ // eevent_uaddr = $event
+ // eargstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event)
+ asmlinkage()
+ epfd = int_arg(1)
+ op = int_arg(2)
+ op_str = _opoll_op_str(op)
+ fd = int_arg(3)
+ event_uaddr = pointer_arg(4)
+ argstr = sprintf("%d, %s, %d, %p", epfd, op_str, fd, event_uaddr)
}
-probe nd_syscall.epoll_ctl.return =
- kernel.function("sys_epoll_ctl").return ?,
- kernel.function("compat_sys_epoll_ctl").return ?
+probe nd_syscall.epoll_ctl.return = kprobe.function("sys_epoll_ctl").return ?,
+ kprobe.function("compat_sys_epoll_ctl").return ?
{
name = "epoll_ctl"
retstr = returnstr(1)
@@ -661,17 +712,17 @@ probe nd_syscall.epoll_ctl.return =
# const compat_sigset_t __user *sigmask,
# compat_size_t sigsetsize)
#
-probe nd_syscall.epoll_pwait =
- kernel.function("sys_epoll_pwait") ?,
- kernel.function("compat_sys_epoll_pwait") ?
+probe nd_syscall.epoll_pwait = kprobe.function("sys_epoll_pwait") ?,
+ kprobe.function("compat_sys_epoll_pwait") ?
{
name = "epoll_pwait"
+ asmlinkage()
argstr = sprintf("%d, %p, %d, %d, %p, %d",
- $epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize)
+// $epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize)
+ int_arg(1), pointer_arg(2), int_arg(3), int_arg(4), pointer_arg(5), ulong_arg(6))
}
-probe nd_syscall.epoll_pwait.return =
- kernel.function("sys_epoll_pwait").return ?,
- kernel.function("compat_sys_epoll_pwait").return ?
+probe nd_syscall.epoll_pwait.return = kprobe.function("sys_epoll_pwait").return ?,
+ kprobe.function("compat_sys_epoll_pwait").return ?
{
name = "epoll_pwait"
retstr = returnstr(1)
@@ -685,20 +736,24 @@ probe nd_syscall.epoll_pwait.return =
# struct compat_epoll_event __user *events,
# int maxevents, int timeout)
#
-probe nd_syscall.epoll_wait =
- kernel.function("sys_epoll_wait") ?,
- kernel.function("compat_sys_epoll_wait") ?
+probe nd_syscall.epoll_wait = kprobe.function("sys_epoll_wait") ?,
+ kprobe.function("compat_sys_epoll_wait") ?
{
name = "epoll_wait"
- epfd = $epfd
- events_uaddr = $events
- maxevents = $maxevents
- timeout = $timeout
- argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout)
+ // epfd = $epfd
+ // events_uaddr = $events
+ // maxevents = $maxevents
+ // timeout = $timeout
+ // argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout)
+ asmlinkage()
+ epfd = int_arg(1)
+ events_uaddr = pointer_arg(2)
+ maxevents = int_arg(3)
+ timeout = int_arg(4)
+ argstr = sprintf("%d, %p, %d, %d", epfd, events_uaddr, maxevents, timeout)
}
-probe nd_syscall.epoll_wait.return =
- kernel.function("sys_epoll_wait").return ?,
- kernel.function("compat_sys_epoll_wait").return ?
+probe nd_syscall.epoll_wait.return = kprobe.function("sys_epoll_wait").return ?,
+ kprobe.function("compat_sys_epoll_wait").return ?
{
name = "epoll_wait"
retstr = returnstr(1)
@@ -707,11 +762,15 @@ probe nd_syscall.epoll_wait.return =
# eventfd _____________________________________________________
# long sys_eventfd(unsigned int count)
#
-probe nd_syscall.eventfd = kernel.function("sys_eventfd") ? {
+probe nd_syscall.eventfd = kprobe.function("sys_eventfd") ?
+{
name = "eventfd"
- argstr = sprint($count)
+ // argstr = sprint($count)
+ asmlinkage()
+ argstr = sprint(uint_arg(1))
}
-probe nd_syscall.eventfd.return = kernel.function("sys_eventfd").return ? {
+probe nd_syscall.eventfd.return = kprobe.function("sys_eventfd").return ?
+{
name = "eventfd"
retstr = returnstr(1)
}
@@ -723,18 +782,21 @@ probe nd_syscall.eventfd.return = kernel.function("sys_eventfd").return ? {
# char __user *__user *argv,
# char __user *__user *envp,
# struct pt_regs * regs)
-probe nd_syscall.execve = kernel.function("do_execve") {
+probe nd_syscall.execve = kprobe.function("do_execve")
+{
name = "execve"
// filename = kernel_string($filename)
// args = __get_argv($argv, 0)
// argstr = sprintf("%s %s", filename, __get_argv($argv, 1))
+ asmlinkage()
filename = kernel_string(pointer_arg(1))
args = __get_argv(pointer_arg(2), 0)
argstr = sprintf("%s %s", filename, __get_argv(pointer_arg(2), 1))
}
# v2.6.15-rc2 or earlier has problems with sys_execve return probes
# another reason to probe on do_execve
-probe nd_syscall.execve.return = kernel.function("do_execve").return {
+probe nd_syscall.execve.return = kprobe.function("do_execve").return
+{
name = "execve"
retstr = returnstr(1)
}
@@ -742,33 +804,47 @@ probe nd_syscall.execve.return = kernel.function("do_execve").return {
# compat_uptr_t __user *argv,
# compat_uptr_t __user *envp,
# struct pt_regs * regs)
-probe nd_syscall.compat_execve = kernel.function("compat_do_execve") ? {
+probe nd_syscall.compat_execve = kprobe.function("compat_do_execve") ?
+{
name = "compat_execve"
- filename = kernel_string($filename)
- args = __get_compat_argv($argv, 0)
- argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1))
+ // filename = kernel_string($filename)
+ // args = __get_compat_argv($argv, 0)
+ // argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1))
+ asmlinkage()
+ filename = kernel_string(pointer_arg(1))
+ args = __get_compat_argv(pointer_arg(2), 0)
+ argstr = sprintf("%s %s", filename, __get_compat_argv(pointer_arg(2), 1))
}
-probe nd_syscall.compat_execve.return = kernel.function("compat_do_execve").return ? {
+probe nd_syscall.compat_execve.return = kprobe.function("compat_do_execve").return ?
+{
name = "compat_execve"
retstr = returnstr(1)
}
# exit _______________________________________________________
# long sys_exit(int error_code)
-probe nd_syscall.exit = kernel.function("do_exit") {
+probe nd_syscall.exit = kprobe.function("do_exit")
+{
name = "exit"
- status = $code
- argstr = sprint($code)
+ // status = $code
+ // argstr = sprint($code)
+ asmlinkage()
+ status = int_arg(1)
+ argstr = sprint(status)
}
probe nd_syscall.exit.return = end {}
# exit_group _________________________________________________
# void sys_exit_group(int error_code)
#
-probe nd_syscall.exit_group = kernel.function("sys_exit_group") {
+probe nd_syscall.exit_group = kprobe.function("sys_exit_group")
+{
name = "exit_group"
- status = $error_code
- argstr = sprint($error_code)
+ // status = $error_code
+ // argstr = sprint($error_code)
+ asmlinkage()
+ status = int_arg(1)
+ argstr = sprint(status)
}
probe nd_syscall.exit_group.return = end {}
@@ -777,15 +853,23 @@ probe nd_syscall.exit_group.return = end {}
# fadvise64 __________________________________________________
# long sys_fadvise64(int fd, loff_t offset, size_t len, int advice)
#
-probe nd_syscall.fadvise64 = kernel.function("sys_fadvise64") ? {
+probe nd_syscall.fadvise64 = kprobe.function("sys_fadvise64") ?
+{
name = "fadvise64"
- fs = $fd
- offset = $offset
- len = $len
- advice = $advice
- argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+ // fd = $fd
+ // offset = $offset
+ // len = $len
+ // advice = $advice
+ // argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+ asmlinkage()
+ fd = int_arg(1)
+ offset = longlong_arg(2)
+ len = ulong_arg(3)
+ advice = int_arg(4)
+ argstr = sprintf("%d, %d, %d, %s", fd, offset, len, _fadvice_advice_str(advice))
}
-probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return ? {
+probe nd_syscall.fadvise64.return = kprobe.function("sys_fadvise64").return ?
+{
name = "fadvise64"
retstr = returnstr(1)
}
@@ -793,15 +877,23 @@ probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return ? {
# fadvise64_64 _______________________________________________
# long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice)
#
-probe nd_syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") {
+probe nd_syscall.fadvise64_64 = kprobe.function("sys_fadvise64_64")
+{
name = "fadvise64_64"
- fs = $fd
- offset = $offset
- len = $len
- advice = $advice
- argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+ // fd = $fd
+ // offset = $offset
+ // len = $len
+ // advice = $advice
+ // argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+ asmlinkage()
+ fd = int_arg(1)
+ offset = longlong_arg(2)
+ len = ulong_arg(3)
+ advice = int_arg(4)
+ argstr = sprintf("%d, %d, %d, %s", fd, offset, len, _fadvice_advice_str(advice))
}
-probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").return {
+probe nd_syscall.fadvise64_64.return = kprobe.function("sys_fadvise64_64").return
+{
name = "fadvise64_64"
retstr = returnstr(1)
}
@@ -811,15 +903,17 @@ probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").retu
# fadvise64 __________________________________________________
# long sys_fadvise64(int fd, loff_t offset, size_t len, int advice)
#
-probe nd_syscall.fadvise64 = kernel.function("sys_fadvise64") {
+probe nd_syscall.fadvise64 = kprobe.function("sys_fadvise64")
+{
name = "fadvise64"
- fs = 0
+ fd = 0
offset = 0
len = 0
advice = 0
argstr = ""
}
-probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return {
+probe nd_syscall.fadvise64.return = kprobe.function("sys_fadvise64").return
+{
name = "fadvise64"
retstr = returnstr(1)
}
@@ -827,15 +921,17 @@ probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return {
# fadvise64_64 _______________________________________________
# long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice)
#
-probe nd_syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") {
+probe nd_syscall.fadvise64_64 = kprobe.function("sys_fadvise64_64")
+{
name = "fadvise64_64"
- fs = 0
+ fd = 0
offset = 0
len = 0
advice = 0
argstr = ""
}
-probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").return {
+probe nd_syscall.fadvise64_64.return = kprobe.function("sys_fadvise64_64").return
+{
name = "fadvise64_64"
retstr = returnstr(1)
}
@@ -843,53 +939,77 @@ probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").retu
# fchdir _____________________________________________________
# long sys_fchdir(unsigned int fd)
-probe nd_syscall.fchdir = kernel.function("sys_fchdir") {
+probe nd_syscall.fchdir = kprobe.function("sys_fchdir")
+{
name = "fchdir"
- fd = $fd
- argstr = sprint($fd)
+ // fd = $fd
+ // argstr = sprint($fd)
+ asmlinkage()
+ fd = int_arg(1)
+ argstr = sprint(fd)
}
-probe nd_syscall.fchdir.return = kernel.function("sys_fchdir").return {
+probe nd_syscall.fchdir.return = kprobe.function("sys_fchdir").return
+{
name = "fchdir"
retstr = returnstr(1)
}
# fchmod _____________________________________________________
# long sys_fchmod(unsigned int fd, mode_t mode)
-probe nd_syscall.fchmod = kernel.function("sys_fchmod") {
+probe nd_syscall.fchmod = kprobe.function("sys_fchmod")
+{
name = "fchmod"
- fildes = $fd
- mode = $mode
- argstr = sprintf("%d, %#o", $fd, $mode)
+ // fildes = $fd
+ // mode = $mode
+ asmlinkage()
+ fildes = int_arg(1)
+ mode = uint_arg(2) # SAFE?
+ argstr = sprintf("%d, %#o", fildes, mode)
}
-probe nd_syscall.fchmod.return = kernel.function("sys_fchmod").return {
+probe nd_syscall.fchmod.return = kprobe.function("sys_fchmod").return
+{
name = "fchmod"
retstr = returnstr(1)
}
# fchown _____________________________________________________
# long sys_fchown(unsigned int fd, uid_t user, gid_t group)
-probe nd_syscall.fchown = kernel.function("sys_fchown") {
+probe nd_syscall.fchown = kprobe.function("sys_fchown")
+{
name = "fchown"
- fd = $fd
- owner = __int32($user)
- group = __int32($group)
- argstr = sprintf("%d, %d, %d", $fd, owner, group)
+ // fd = $fd
+ // owner = __int32($user)
+ // group = __int32($group)
+ // argstr = sprintf("%d, %d, %d", $fd, owner, group)
+ asmlinkage()
+ fd = int_arg(1)
+ owner = __int32(uint_arg(2))
+ group = __int32(uint_arg(3))
+ argstr = sprintf("%d, %d, %d", fd, owner, group)
}
-probe nd_syscall.fchown.return = kernel.function("sys_fchown").return {
+probe nd_syscall.fchown.return = kprobe.function("sys_fchown").return
+{
name = "fchown"
retstr = returnstr(1)
}
# fchown16 ___________________________________________________
# long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group)
-probe nd_syscall.fchown16 = kernel.function("sys_fchown16") ? {
+probe nd_syscall.fchown16 = kprobe.function("sys_fchown16") ?
+{
name = "fchown16"
- fd = $fd
- owner = __short($user)
- group = __short($group)
- argstr = sprintf("%d, %d, %d", $fd, owner, group)
+ // fd = $fd
+ // owner = __short($user)
+ // group = __short($group)
+ // argstr = sprintf("%d, %d, %d", $fd, owner, group)
+ asmlinkage()
+ fd = int_arg(1)
+ owner = __short(uint_arg(2))
+ group = __short(uint_arg(3))
+ argstr = sprintf("%d, %d, %d", fd, owner, group)
}
-probe nd_syscall.fchown16.return = kernel.function("sys_fchown16").return ? {
+probe nd_syscall.fchown16.return = kprobe.function("sys_fchown16").return ?
+{
name = "fchown16"
retstr = returnstr(1)
}
@@ -900,24 +1020,28 @@ probe nd_syscall.fchown16.return = kernel.function("sys_fchown16").return ? {
# long compat_sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg)
# long compat_sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg)
#
-probe nd_syscall.fcntl =
- kernel.function("sys_fcntl") ?,
- kernel.function("sys_fcntl64") ?,
- kernel.function("compat_sys_fcntl") ?,
- kernel.function("compat_sys_fcntl64") ?
+probe nd_syscall.fcntl = kprobe.function("sys_fcntl") ?,
+ kprobe.function("sys_fcntl64") ?,
+ kprobe.function("compat_sys_fcntl") ?,
+ kprobe.function("compat_sys_fcntl64") ?
{
name = "fcntl"
- fd = $fd
- cmd = $cmd
- cmd_str = _fcntl_cmd_str($cmd)
- arg = $arg
- argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg)
-}
-probe nd_syscall.fcntl.return =
- kernel.function("sys_fcntl").return ?,
- kernel.function("sys_fcntl64").return ?,
- kernel.function("compat_sys_fcntl").return ?,
- kernel.function("compat_sys_fcntl64").return ?
+ // fd = $fd
+ // cmd = $cmd
+ // cmd_str = _fcntl_cmd_str($cmd)
+ // arg = $arg
+ // argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg)
+ asmlinkage()
+ fd = int_arg(1)
+ cmd = int_arg(2)
+ cmd_str = _fcntl_cmd_str(cmd)
+ arg = long_arg(3)
+ argstr = sprintf("%d, %s, %p", fd, cmd_str, arg)
+}
+probe nd_syscall.fcntl.return = kprobe.function("sys_fcntl").return ?,
+ kprobe.function("sys_fcntl64").return ?,
+ kprobe.function("compat_sys_fcntl").return ?,
+ kprobe.function("compat_sys_fcntl64").return ?
{
name = "fcntl"
retstr = returnstr(1)
@@ -925,12 +1049,16 @@ probe nd_syscall.fcntl.return =
# fdatasync __________________________________________________
# long sys_fdatasync(unsigned int fd)
-probe nd_syscall.fdatasync = kernel.function("sys_fdatasync") {
+probe nd_syscall.fdatasync = kprobe.function("sys_fdatasync")
+{
name = "fdatasync"
- fd = $fd
+ // fd = $fd
+ asmlinkage()
+ fd = int_arg(1)
argstr = sprint(fd)
}
-probe nd_syscall.fdatasync.return = kernel.function("sys_fdatasync").return {
+probe nd_syscall.fdatasync.return = kprobe.function("sys_fdatasync").return
+{
name = "fdatasync"
retstr = returnstr(1)
}
@@ -938,42 +1066,61 @@ probe nd_syscall.fdatasync.return = kernel.function("sys_fdatasync").return {
# fgetxattr __________________________________________________
# ssize_t sys_fgetxattr(int fd, char __user *name,
# void __user *value, size_t size)
-probe nd_syscall.fgetxattr = kernel.function("sys_fgetxattr") {
+probe nd_syscall.fgetxattr = kprobe.function("sys_fgetxattr")
+{
name = "fgetxattr"
- filedes = $fd
-#FIXME
- name2 = user_string($name)
- value_uaddr = $value
- size = $size
- argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted($name), value_uaddr, size)
-}
-probe nd_syscall.fgetxattr.return = kernel.function("sys_fgetxattr").return {
+ // filedes = $fd
+ // name2 = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // argstr = sprintf("%d, %s, %p, %d", $fd, user_string_quoted($name), value_uaddr, size)
+ asmlinkage()
+ filedes = int_arg(1)
+ # FIXME
+ name2 = user_string(pointer_arg(2))
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
+ argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted(pointer_arg(2)), value_uaddr, size)
+}
+probe nd_syscall.fgetxattr.return = kprobe.function("sys_fgetxattr").return
+{
name = "fgetxattr"
retstr = returnstr(1)
}
# flistxattr _________________________________________________
# ssize_t sys_flistxattr(int fd, char __user *list, size_t size)
-probe nd_syscall.flistxattr = kernel.function("sys_flistxattr") {
+probe nd_syscall.flistxattr = kprobe.function("sys_flistxattr")
+{
name = "flistxattr"
- filedes = $fd
- list_uaddr = $list
- size = $size
+ // filedes = $fd
+ // list_uaddr = $list
+ // size = $size
+ asmlinkage()
+ filedes = int_arg(1)
+ list_uaddr = pointer_arg(2)
+ size = ulong_arg(3)
argstr = sprintf("%d, %p, %d", filedes, list_uaddr, size)
}
-probe nd_syscall.flistxattr.return = kernel.function("sys_flistxattr").return {
+probe nd_syscall.flistxattr.return = kprobe.function("sys_flistxattr").return
+{
name = "flistxattr"
retstr = returnstr(1)
}
# flock ______________________________________________________
# long sys_flock(unsigned int fd, unsigned int cmd)
-probe nd_syscall.flock = kernel.function("sys_flock") {
+probe nd_syscall.flock = kprobe.function("sys_flock")
+{
name = "flock"
- fd = $fd
- operation = $cmd
+ // fd = $fd
+ // operation = $cmd
+ asmlinkage()
+ fd = int_arg(1)
+ operation = int_arg(2)
argstr = sprintf("%d, %s", fd, _flock_cmd_str(operation))
}
-probe nd_syscall.flock.return = kernel.function("sys_flock").return {
+probe nd_syscall.flock.return = kprobe.function("sys_flock").return
+{
name = "flock"
retstr = returnstr(1)
}
@@ -1016,13 +1163,15 @@ CATCH_DEREF_FAULT();
# unsigned long stack_size,
# int __user *parent_tidptr,
# int __user *child_tidptr)
-probe nd_syscall.fork = kernel.function("do_fork") {
+probe nd_syscall.fork = kprobe.function("do_fork")
+{
// clone_flags = $clone_flags
// stack_start = $stack_start
// regs = $regs
// stack_size = $stack_size
// parent_tid_uaddr = $parent_tidptr
// child_tid_uaddr = $child_tidptr
+ asmlinkage()
clone_flags = ulong_arg(1)
stack_start = ulong_arg(2)
regs = pointer_arg(3)
@@ -1042,19 +1191,27 @@ probe nd_syscall.fork = kernel.function("do_fork") {
argstr = __fork_flags(clone_flags)
}
}
-probe nd_syscall.fork.return = kernel.function("do_fork").return {
+probe nd_syscall.fork.return = kprobe.function("do_fork").return
+{
name = "fork"
retstr = returnstr(1)
}
# fremovexattr _______________________________________________
# long sys_fremovexattr(int fd, char __user *name)
-probe nd_syscall.fremovexattr = kernel.function("sys_fremovexattr") {
+probe nd_syscall.fremovexattr = kprobe.function("sys_fremovexattr")
+{
name = "fremovexattr"
- filedes = $fd
- name_uaddr = $name
- argstr = sprintf("FIXME PLEASE")
+ // filedes = $fd
+ // name2 = user_string($name)
+ // argstr = sprintf("%d, %s", $fd, user_string_quoted($name))
+ asmlinkage()
+ filedes = int_arg(1)
+ # FIXME
+ name2 = user_string(pointer_arg(2))
+ argstr = sprintf("%d, %s", filedes, user_string_quoted(pointer_arg(2)))
}
-probe nd_syscall.fremovexattr.return = kernel.function("sys_fremovexattr").return {
+probe nd_syscall.fremovexattr.return = kprobe.function("sys_fremovexattr").return
+{
name = "fremovexattr"
retstr = returnstr(1)
}
@@ -1068,17 +1225,26 @@ probe nd_syscall.fremovexattr.return = kernel.function("sys_fremovexattr").retur
* size_t size,
* int flags)
*/
-probe nd_syscall.fsetxattr = kernel.function("sys_fsetxattr") {
+probe nd_syscall.fsetxattr = kprobe.function("sys_fsetxattr")
+{
name = "fsetxattr"
- filedes = $fd
-# FIXME
- name2 = user_string($name)
- value_uaddr = $value
- size = $size
- flags = $flags
- argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags)
-}
-probe nd_syscall.fsetxattr.return = kernel.function("sys_fsetxattr").return {
+ // filedes = $fd
+ // name2 = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // flags = $flags
+ // argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags)
+ asmlinkage()
+ filedes = int_arg(1)
+ # FIXME
+ name2 = user_string(pointer_arg(2))
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
+ flags = int_arg(5)
+ argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted(pointer_arg(2)), value_uaddr, size, flags)
+}
+probe nd_syscall.fsetxattr.return = kprobe.function("sys_fsetxattr").return
+{
name = "fsetxattr"
retstr = returnstr(1)
}
@@ -1092,26 +1258,28 @@ probe nd_syscall.fsetxattr.return = kernel.function("sys_fsetxattr").return {
# struct oldabi_stat64 __user * statbuf)
# long compat_sys_newfstat(unsigned int fd, struct compat_stat __user * statbuf)
#
-probe nd_syscall.fstat =
- kernel.function("sys_fstat") ?,
- kernel.function("sys_fstat64") ?,
- kernel.function("sys32_fstat64") ?,
- kernel.function("sys_newfstat") ?,
- kernel.function("sys_oabi_fstat64") ?,
- kernel.function("compat_sys_newfstat") ?
+probe nd_syscall.fstat = kprobe.function("sys_fstat") ?,
+ kprobe.function("sys_fstat64") ?,
+ kprobe.function("sys32_fstat64") ?,
+ kprobe.function("sys_newfstat") ?,
+ kprobe.function("sys_oabi_fstat64") ?,
+ kprobe.function("compat_sys_newfstat") ?
{
name = "fstat"
- filedes = $fd
- buf_uaddr = $statbuf
- argstr = sprintf("%d, %p", $fd, $statbuf)
-}
-probe nd_syscall.fstat.return =
- kernel.function("sys_fstat").return ?,
- kernel.function("sys_fstat64").return ?,
- kernel.function("sys32_fstat64").return ?,
- kernel.function("sys_newfstat").return ?,
- kernel.function("sys_oabi_fstat64").return ?,
- kernel.function("compat_sys_newfstat").return ?
+ // filedes = $fd
+ // buf_uaddr = $statbuf
+ // argstr = sprintf("%d, %p", $fd, $statbuf)
+ asmlinkage()
+ filedes = int_arg(1)
+ buf_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", filedes, buf_uaddr)
+}
+probe nd_syscall.fstat.return = kprobe.function("sys_fstat").return ?,
+ kprobe.function("sys_fstat64").return ?,
+ kprobe.function("sys32_fstat64").return ?,
+ kprobe.function("sys_newfstat").return ?,
+ kprobe.function("sys_oabi_fstat64").return ?,
+ kprobe.function("compat_sys_newfstat").return ?
{
name = "fstat"
retstr = returnstr(1)
@@ -1122,23 +1290,26 @@ probe nd_syscall.fstat.return =
# long sys_newfstatat(int dfd, char __user *filename, struct stat __user *statbuf, int flag)
# long sys_fstatat64(int dfd, char __user *filename, struct stat64 __user *statbuf, int flag)
# long compat_sys_newfstatat(unsigned int dfd, char __user *filename, struct compat_stat __user *statbuf, int flag)
-probe nd_syscall.fstatat =
- kernel.function("sys_fstatat64") ?,
- kernel.function("sys_newfstatat") ?,
- kernel.function("compat_sys_newfstatat") ?,
- kernel.function("sys32_fstatat64") ?
+probe nd_syscall.fstatat = kprobe.function("sys_fstatat64") ?,
+ kprobe.function("sys_newfstatat") ?,
+ kprobe.function("compat_sys_newfstatat") ?,
+ kprobe.function("sys32_fstatat64") ?
{
name = "fstatat"
- dirfd = $dfd
- path = user_string($filename)
- buf_uaddr = $statbuf
- argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag))
+ // dirfd = $dfd
+ // path = user_string($filename)
+ // buf_uaddr = $statbuf
+ // argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag))
+ asmlinkage()
+ dirfd = int_arg(1)
+ path = user_string(pointer_arg(2))
+ buf_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %s, %p, %s", _dfd_str(dirfd), user_string_quoted(pointer_arg(2)), buf_uaddr, _at_flag_str(int_arg(4)))
}
-probe nd_syscall.fstatat.return =
- kernel.function("sys_fstatat64").return ?,
- kernel.function("sys_newfstatat").return ?,
- kernel.function("compat_sys_newfstatat").return ?,
- kernel.function("sys32_fstatat64").return ?
+probe nd_syscall.fstatat.return = kprobe.function("sys_fstatat64").return ?,
+ kprobe.function("sys_newfstatat").return ?,
+ kprobe.function("compat_sys_newfstatat").return ?,
+ kprobe.function("sys32_fstatat64").return ?
{
name = "fstatat"
retstr = returnstr(1)
@@ -1148,18 +1319,20 @@ probe nd_syscall.fstatat.return =
# long sys_fstatfs(unsigned int fd, struct statfs __user * buf)
# long compat_sys_fstatfs(unsigned int fd, struct compat_statfs __user *buf)
#
-probe nd_syscall.fstatfs =
- kernel.function("sys_fstatfs"),
- kernel.function("compat_sys_fstatfs") ?
+probe nd_syscall.fstatfs = kprobe.function("sys_fstatfs"),
+ kprobe.function("compat_sys_fstatfs") ?
{
name = "fstatfs"
- fd = $fd
- buf_uaddr = $buf
- argstr = sprintf("%d, %p", $fd, $buf)
+ // fd = $fd
+ // buf_uaddr = $buf
+ // argstr = sprintf("%d, %p", $fd, $buf)
+ asmlinkage()
+ fd = int_arg(1)
+ buf_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", fd, buf_uaddr)
}
-probe nd_syscall.fstatfs.return =
- kernel.function("sys_fstatfs").return,
- kernel.function("compat_sys_fstatfs").return ?
+probe nd_syscall.fstatfs.return = kprobe.function("sys_fstatfs").return,
+ kprobe.function("compat_sys_fstatfs").return ?
{
name = "fstatfs"
retstr = returnstr(1)
@@ -1169,19 +1342,22 @@ probe nd_syscall.fstatfs.return =
# long sys_fstatfs64(unsigned int fd, size_t sz, struct statfs64 __user *buf)
# long compat_sys_fstatfs64(unsigned int fd, compat_size_t sz, struct compat_statfs64 __user *buf)
#
-probe nd_syscall.fstatfs64 =
- kernel.function("sys_fstatfs64") ?,
- kernel.function("compat_sys_fstatfs64") ?
+probe nd_syscall.fstatfs64 = kprobe.function("sys_fstatfs64") ?,
+ kprobe.function("compat_sys_fstatfs64") ?
{
name = "fstatfs"
- fd = $fd
- sz = $sz
- buf_uaddr = $buf
- argstr = sprintf("%d, %d, %p", $fd, $sz, $buf)
+ // fd = $fd
+ // sz = $sz
+ // buf_uaddr = $buf
+ // argstr = sprintf("%d, %d, %p", $fd, $sz, $buf)
+ asmlinkage()
+ fd = int_arg(1)
+ sz = ulong_arg(2)
+ buf_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %d, %p", fd, sz, buf_uaddr)
}
-probe nd_syscall.fstatfs64.return =
- kernel.function("sys_fstatfs64").return ?,
- kernel.function("compat_sys_fstatfs64").return ?
+probe nd_syscall.fstatfs64.return = kprobe.function("sys_fstatfs64").return ?,
+ kprobe.function("compat_sys_fstatfs64").return ?
{
name = "fstatfs"
retstr = returnstr(1)
@@ -1189,37 +1365,51 @@ probe nd_syscall.fstatfs64.return =
# fsync ______________________________________________________
# long sys_fsync(unsigned int fd)
-probe nd_syscall.fsync = kernel.function("sys_fsync") {
+probe nd_syscall.fsync = kprobe.function("sys_fsync")
+{
name = "fsync"
- fd = $fd
+ // fd = $fd
+ asmlinkage()
+ fd = int_arg(1)
argstr = sprint(fd)
}
-probe nd_syscall.fsync.return = kernel.function("sys_fsync").return {
+probe nd_syscall.fsync.return = kprobe.function("sys_fsync").return
+{
name = "fsync"
retstr = returnstr(1)
}
# ftruncate __________________________________________________
# long sys_ftruncate(unsigned int fd, unsigned long length)
-probe nd_syscall.ftruncate = kernel.function("sys_ftruncate") {
+probe nd_syscall.ftruncate = kprobe.function("sys_ftruncate")
+{
name = "ftruncate"
- fd = $fd
- length = $length
+ // fd = $fd
+ // length = $length
+ asmlinkage()
+ fd = int_arg(1)
+ length = ulong_arg(2)
argstr = sprintf("%d, %d", fd, length)
}
-probe nd_syscall.ftruncate.return = kernel.function("sys_ftruncate").return {
+probe nd_syscall.ftruncate.return = kprobe.function("sys_ftruncate").return
+{
name = "ftruncate"
retstr = returnstr(1)
}
# ftruncate64 ________________________________________________
# long sys_ftruncate64(unsigned int fd, loff_t length)
-probe nd_syscall.ftruncate64 = kernel.function("sys_ftruncate64") ? {
+probe nd_syscall.ftruncate64 = kprobe.function("sys_ftruncate64") ?
+{
name = "ftruncate"
- fd = $fd
- length = $length
+ // fd = $fd
+ // length = $length
+ asmlinkage()
+ fd = int_arg(1)
+ length = longlong_arg(2)
argstr = sprintf("%d, %d", fd, length)
}
-probe nd_syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return ? {
+probe nd_syscall.ftruncate64.return = kprobe.function("sys_ftruncate64").return ?
+{
name = "ftruncate"
retstr = returnstr(1)
}
@@ -1235,7 +1425,8 @@ probe nd_syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return
# struct compat_timespec __user *utime, u32 __user *uaddr2,
# u32 val3)
#
-probe nd_syscall.futex = kernel.function("sys_futex") ? {
+probe nd_syscall.futex = kprobe.function("sys_futex") ?
+{
name = "futex"
// futex_uaddr = $uaddr
// op = $op
@@ -1245,7 +1436,7 @@ probe nd_syscall.futex = kernel.function("sys_futex") ? {
// val3 = $val3
// if (op == 0)
// argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
- // $val, _struct_timespec_u($utime,1))
+ // $val, _struct_timespec_u($utime, 1))
// else
// argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
// $val)
@@ -1259,16 +1450,18 @@ probe nd_syscall.futex = kernel.function("sys_futex") ? {
if (op == 0)
argstr = sprintf("%p, %s, %d, %s", futex_uaddr,
_futex_op_str(op), val,
- _struct_timespec_u(utime_uaddr,1))
+ _struct_timespec_u(utime_uaddr, 1))
else
argstr = sprintf("%p, %s, %d", futex_uaddr,
_futex_op_str(op), val)
}
-probe nd_syscall.futex.return = kernel.function("sys_futex").return ? {
+probe nd_syscall.futex.return = kprobe.function("sys_futex").return ?
+{
name = "futex"
retstr = returnstr(1)
}
-probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? {
+probe nd_syscall.compat_futex = kprobe.function("compat_sys_futex") ?
+{
name = "futex"
// futex_uaddr = $uaddr
// op = $op
@@ -1278,7 +1471,7 @@ probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? {
// val3 = $val3
// if (op == 0)
// argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
- // $val, _struct_compat_timespec_u($utime,1))
+ // $val, _struct_compat_timespec_u($utime, 1))
// else
// argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
// $val)
@@ -1292,12 +1485,13 @@ probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? {
if (op == 0)
argstr = sprintf("%p, %s, %d, %s", futex_uaddr,
_futex_op_str(op), val,
- _struct_compat_timespec_u(utime_uaddr,1))
+ _struct_compat_timespec_u(utime_uaddr, 1))
else
argstr = sprintf("%p, %s, %d", futex_uaddr,
_futex_op_str(op), val)
}
-probe nd_syscall.compat_futex.return = kernel.function("compat_sys_futex").return ? {
+probe nd_syscall.compat_futex.return = kprobe.function("compat_sys_futex").return ?
+{
name = "futex"
retstr = returnstr(1)
}
@@ -1308,69 +1502,95 @@ probe nd_syscall.compat_futex.return = kernel.function("compat_sys_futex").retur
# long compat_sys_futimesat(unsigned int dfd, char __user *filename, struct compat_timeval __user *t)
#
-probe nd_syscall.futimesat = kernel.function("sys_futimesat") ? {
+probe nd_syscall.futimesat = kprobe.function("sys_futimesat") ?
+{
name = "futimesat"
- dirfd = $dfd
- filename_uaddr = $filename
- filename = user_string($filename)
- tvp_uaddr = $utimes
- argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
- _struct_timeval_u($utimes, 2))
-}
-probe nd_syscall.compat_futimesat = kernel.function("compat_sys_futimesat") ? {
+ // dirfd = $dfd
+ // filename_uaddr = $filename
+ // filename = user_string($filename)
+ // tvp_uaddr = $utimes
+ // argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
+ // _struct_timeval_u($utimes, 2))
+ asmlinkage()
+ dirfd = int_arg(1)
+ filename_uaddr = pointer_arg(2)
+ filename = user_string(filename_uaddr)
+ tvp_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %s, %s", _dfd_str(dirfd), user_string_quoted(filename_uaddr),
+ _struct_timeval_u(tvp_uaddr, 2))
+}
+probe nd_syscall.compat_futimesat = kprobe.function("compat_sys_futimesat") ?
+{
name = "futimesat"
- dirfd = $dfd
- filename_uaddr = $filename
- filename = user_string($filename)
- tvp_uaddr = $t
- argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
- _struct_compat_timeval_u($t, 2))
-}
-probe nd_syscall.futimesat.return = kernel.function("sys_futimesat").return ? {
+ // dirfd = $dfd
+ // filename_uaddr = $filename
+ // filename = user_string($filename)
+ // tvp_uaddr = $utimes
+ // argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
+ // _struct_timeval_u($utimes, 2))
+ asmlinkage()
+ dirfd = uint_arg(1)
+ filename_uaddr = pointer_arg(2)
+ filename = user_string(pointer_arg(2))
+ tvp_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %s, %s", _dfd_str(uint_arg(1)), user_string_quoted(pointer_arg(2)),
+ _struct_compat_timeval_u(pointer_arg(3), 2))
+}
+probe nd_syscall.futimesat.return = kprobe.function("sys_futimesat").return ?
+{
name = "futimesat"
retstr = returnstr(1)
}
-probe nd_syscall.compat_futimesat.return = kernel.function("compat_sys_futimesat").return ? {
+probe nd_syscall.compat_futimesat.return = kprobe.function("compat_sys_futimesat").return ?
+{
name = "futimesat"
retstr = returnstr(1)
}
# getcwd _____________________________________________________
# long sys_getcwd(char __user *buf, unsigned long size)
-probe nd_syscall.getcwd = kernel.function("sys_getcwd") {
+probe nd_syscall.getcwd = kprobe.function("sys_getcwd")
+{
name = "getcwd"
- buf_uaddr = $buf
- size = $size
+ // buf_uaddr = $buf
+ // size = $size
+ asmlinkage()
+ buf_uaddr = pointer_arg(1)
+ size = ulong_arg(2)
argstr = sprintf("%p, %d", buf_uaddr, size)
}
-probe nd_syscall.getcwd.return = kernel.function("sys_getcwd").return {
+probe nd_syscall.getcwd.return = kprobe.function("sys_getcwd").return
+{
name = "getcwd"
retstr = returnstr(1)
}
# getdents ___________________________________________________
# long sys_getdents(unsigned int fd, struct linux_dirent __user * dirent, unsigned int count)
-# long compat_sys_getdents(unsigned int fd,struct compat_linux_dirent __user *dirent, unsigned int count)
+# long compat_sys_getdents(unsigned int fd, struct compat_linux_dirent __user *dirent, unsigned int count)
# long sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
# long compat_sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
#
-probe nd_syscall.getdents =
- kernel.function("sys_getdents") ?,
- kernel.function("sys_getdents64") ?,
- kernel.function("compat_sys_getdents") ?,
- kernel.function("compat_sys_getdents64") ?
+probe nd_syscall.getdents = kprobe.function("sys_getdents") ?,
+ kprobe.function("sys_getdents64") ?,
+ kprobe.function("compat_sys_getdents") ?,
+ kprobe.function("compat_sys_getdents64") ?
{
name = "getdents"
- fd = $fd
- dirp_uaddr = $dirent
- count = $count
- argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
+ // fd = $fd
+ // dirp_uaddr = $dirent
+ // count = $count
+ // argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
+ asmlinkage()
+ fd = int_arg(1)
+ dirp_uaddr = pointer_arg(2)
+ count = uint_arg(3)
+ argstr = sprintf("%d, %p, %d", fd, dirp_uaddr, count)
}
-probe nd_syscall.getdents.return =
- kernel.function("sys_getdents").return ?,
- kernel.function("sys_getdents64").return ?,
- kernel.function("compat_sys_getdents").return ?,
- kernel.function("compat_sys_getdents64").return ?
+probe nd_syscall.getdents.return = kprobe.function("sys_getdents").return ?,
+ kprobe.function("sys_getdents64").return ?,
+ kprobe.function("compat_sys_getdents").return ?,
+ kprobe.function("compat_sys_getdents64").return ?
{
name = "getdents"
retstr = returnstr(1)
@@ -1381,18 +1601,16 @@ probe nd_syscall.getdents.return =
# long sys_getegid16(void)
# long sys32_getegid16(void)
#
-probe nd_syscall.getegid =
- kernel.function("sys_getegid16") ?,
- kernel.function("sys32_getegid16") ?,
- kernel.function("sys_getegid")
+probe nd_syscall.getegid = kprobe.function("sys_getegid16") ?,
+ kprobe.function("sys32_getegid16") ?,
+ kprobe.function("sys_getegid")
{
name = "getegid"
argstr = ""
}
-probe nd_syscall.getegid.return =
- kernel.function("sys_getegid16").return ?,
- kernel.function("sys32_getegid16").return ?,
- kernel.function("sys_getegid").return
+probe nd_syscall.getegid.return = kprobe.function("sys_getegid16").return ?,
+ kprobe.function("sys32_getegid16").return ?,
+ kprobe.function("sys_getegid").return
{
name = "getegid"
retstr = returnstr(1)
@@ -1402,18 +1620,16 @@ probe nd_syscall.getegid.return =
# long sys_geteuid(void)
# long sys32_geteuid16(void)
#
-probe nd_syscall.geteuid =
- kernel.function("sys_geteuid16") ?,
- kernel.function("sys32_geteuid16") ?,
- kernel.function("sys_geteuid")
+probe nd_syscall.geteuid = kprobe.function("sys_geteuid16") ?,
+ kprobe.function("sys32_geteuid16") ?,
+ kprobe.function("sys_geteuid")
{
name = "geteuid"
argstr = ""
}
-probe nd_syscall.geteuid.return =
- kernel.function("sys_geteuid16").return ?,
- kernel.function("sys32_geteuid16").return ?,
- kernel.function("sys_geteuid").return
+probe nd_syscall.geteuid.return = kprobe.function("sys_geteuid16").return ?,
+ kprobe.function("sys32_geteuid16").return ?,
+ kprobe.function("sys_geteuid").return
{
name = "geteuid"
retstr = returnstr(1)
@@ -1423,18 +1639,16 @@ probe nd_syscall.geteuid.return =
# long sys_getgid(void)
# long sys32_getgid16(void)
#
-probe nd_syscall.getgid =
- kernel.function("sys_getgid16") ?,
- kernel.function("sys32_getgid16") ?,
- kernel.function("sys_getgid")
+probe nd_syscall.getgid = kprobe.function("sys_getgid16") ?,
+ kprobe.function("sys32_getgid16") ?,
+ kprobe.function("sys_getgid")
{
name = "getgid"
argstr = ""
}
-probe nd_syscall.getgid.return =
- kernel.function("sys_getgid16").return ?,
- kernel.function("sys32_getgid16").return ?,
- kernel.function("sys_getgid").return
+probe nd_syscall.getgid.return = kprobe.function("sys_getgid16").return ?,
+ kprobe.function("sys32_getgid16").return ?,
+ kprobe.function("sys_getgid").return
{
name = "getgid"
retstr = returnstr(1)
@@ -1445,20 +1659,22 @@ probe nd_syscall.getgid.return =
# long sys_getgroups16(int gidsetsize, old_gid_t __user *grouplist)
# long sys32_getgroups16(int gidsetsize, u16 __user *grouplist)
#
-probe nd_syscall.getgroups =
- kernel.function("sys_getgroups") ?,
- kernel.function("sys_getgroups16") ?,
- kernel.function("sys32_getgroups16") ?
+probe nd_syscall.getgroups = kprobe.function("sys_getgroups") ?,
+ kprobe.function("sys_getgroups16") ?,
+ kprobe.function("sys32_getgroups16") ?
{
name = "getgroups"
- size = $gidsetsize
- list_uaddr = $grouplist
- argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
+ // size = $gidsetsize
+ // list_uaddr = $grouplist
+ // argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
+ asmlinkage()
+ size = int_arg(1)
+ list_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", size, list_uaddr)
}
-probe nd_syscall.getgroups.return =
- kernel.function("sys_getgroups").return ?,
- kernel.function("sys_getgroups16").return ?,
- kernel.function("sys32_getgroups16").return ?
+probe nd_syscall.getgroups.return = kprobe.function("sys_getgroups").return ?,
+ kprobe.function("sys_getgroups16").return ?,
+ kprobe.function("sys32_getgroups16").return ?
{
name = "getgroups"
retstr = returnstr(1)
@@ -1466,13 +1682,18 @@ probe nd_syscall.getgroups.return =
# gethostname ________________________________________________
# long sys_gethostname(char __user *name, int len)
-probe nd_syscall.gethostname = kernel.function("sys_gethostname") ? {
+probe nd_syscall.gethostname = kprobe.function("sys_gethostname") ?
+{
name = "gethostname"
- name_uaddr = $name
- len = $len
+ // name_uaddr = $name
+ // len = $len
+ asmlinkage()
+ name_uaddr = pointer_arg(1)
+ len = int_arg(2)
argstr = sprintf ("%p, %d", name_uaddr, len)
}
-probe nd_syscall.gethostname.return = kernel.function("sys_gethostname").return ? {
+probe nd_syscall.gethostname.return = kprobe.function("sys_gethostname").return ?
+{
name = "gethostname"
retstr = returnstr(1)
}
@@ -1480,24 +1701,36 @@ probe nd_syscall.gethostname.return = kernel.function("sys_gethostname").return
# getitimer __________________________________________________
# sys_getitimer(int which, struct itimerval __user *value)
#
-probe nd_syscall.getitimer = kernel.function("sys_getitimer") {
+probe nd_syscall.getitimer = kprobe.function("sys_getitimer")
+{
name = "getitimer"
- which = $which
- value_uaddr = $value
- argstr = sprintf("%s, %p", _itimer_which_str($which), $value)
+ // which = $which
+ // value_uaddr = $value
+ // argstr = sprintf("%s, %p", _itimer_which_str($which), $value)
+ asmlinkage()
+ which = int_arg(1)
+ value_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", _itimer_which_str(which), value_uaddr )
}
-probe nd_syscall.getitimer.return = kernel.function("sys_getitimer").return {
+probe nd_syscall.getitimer.return = kprobe.function("sys_getitimer").return
+{
name = "getitimer"
retstr = returnstr(1)
}
# long compat_sys_getitimer(int which, struct compat_itimerval __user *it
-probe nd_syscall.compat_getitimer = kernel.function("compat_sys_getitimer") ? {
+probe nd_syscall.compat_getitimer = kprobe.function("compat_sys_getitimer") ?
+{
name = "getitimer"
- which = $which
- value_uaddr = $it
- argstr = sprintf("%s, %p", _itimer_which_str($which), $it)
+ // which = $which
+ // value_uaddr = $it
+ // argstr = sprintf("%s, %p", _itimer_which_str($which), $it)
+ asmlinkage()
+ which = int_arg(1)
+ value_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", _itimer_which_str(which), value_uaddr)
}
-probe nd_syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer").return ? {
+probe nd_syscall.compat_getitimer.return = kprobe.function("compat_sys_getitimer").return ?
+{
name = "getitimer"
retstr = returnstr(1)
}
@@ -1513,22 +1746,28 @@ probe nd_syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer
# compat_ulong_t maxnode,
# compat_ulong_t addr, compat_ulong_t flags)
#
-probe nd_syscall.get_mempolicy =
- kernel.function("sys_get_mempolicy") ?,
- kernel.function("compat_sys_get_mempolicy") ?
+probe nd_syscall.get_mempolicy = kprobe.function("sys_get_mempolicy") ?,
+ kprobe.function("compat_sys_get_mempolicy") ?
{
name = "get_mempolicy"
- policy_uaddr = $policy
- nmask_uaddr = $nmask
- maxnode = $maxnode
- addr = $addr
- flags = $flags
- argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy,
- $nmask, $maxnode, $addr, $flags)
-}
-probe nd_syscall.get_mempolicy.return =
- kernel.function("sys_get_mempolicy").return ?,
- kernel.function("compat_sys_get_mempolicy").return ?
+ // policy_uaddr = $policy
+ // nmask_uaddr = $nmask
+ // maxnode = $maxnode
+ // addr = $addr
+ // flags = $flags
+ // argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy,
+ // $nmask, $maxnode, $addr, $flags)
+ asmlinkage()
+ policy_uaddr = pointer_arg(1)
+ nmask_uaddr = pointer_arg(2)
+ maxnode = ulong_arg(3)
+ addr = ulong_arg(4)
+ flags = ulong_arg(5)
+ argstr = sprintf("%p, %p, %d, %p, 0x%x", policy_uaddr,
+ nmask_uaddr, maxnode, addr, flags)
+}
+probe nd_syscall.get_mempolicy.return = kprobe.function("sys_get_mempolicy").return ?,
+ kprobe.function("compat_sys_get_mempolicy").return ?
{
name = "get_mempolicy"
retstr = returnstr(1)
@@ -1537,72 +1776,95 @@ probe nd_syscall.get_mempolicy.return =
# getpeername ________________________________________________
# long sys_getpeername(int fd, struct sockaddr __user *usockaddr, int __user *usockaddr_len)
#
-probe nd_syscall.getpeername = kernel.function("sys_getpeername") ? {
+probe nd_syscall.getpeername = kprobe.function("sys_getpeername") ?
+{
name = "getpeername"
- s = $fd
- name_uaddr = $usockaddr
- namelen_uaddr = $usockaddr_len
- argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+ // s = $fd
+ // name_uaddr = $usockaddr
+ // namelen_uaddr = $usockaddr_len
+ // argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+ asmlinkage()
+ s = int_arg(1)
+ name_uaddr = pointer_arg(2)
+ namelen_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %p, %p", s, name_uaddr, namelen_uaddr)
}
-probe nd_syscall.getpeername.return = kernel.function("sys_getpeername").return ? {
+probe nd_syscall.getpeername.return = kprobe.function("sys_getpeername").return ?
+{
name = "getpeername"
retstr = returnstr(1)
}
# getpgid ____________________________________________________
# long sys_getpgid(pid_t pid)
-probe nd_syscall.getpgid = kernel.function("sys_getpgid") {
+probe nd_syscall.getpgid = kprobe.function("sys_getpgid")
+{
name = "getpgid"
- pid = $pid
- argstr = sprintf("%d", $pid)
+ // pid = $pid
+ // argstr = sprintf("%d", $pid)
+ asmlinkage()
+ pid = int_arg(1)
+ argstr = sprintf("%d", pid)
}
-probe nd_syscall.getpgid.return = kernel.function("sys_getpgid").return {
+probe nd_syscall.getpgid.return = kprobe.function("sys_getpgid").return
+{
name = "getpgid"
retstr = returnstr(1)
}
# getpgrp ____________________________________________________
# long sys_getpgrp(void)
-probe nd_syscall.getpgrp = kernel.function("sys_getpgrp") ? {
+probe nd_syscall.getpgrp = kprobe.function("sys_getpgrp") ?
+{
name = "getpgrp"
argstr = ""
}
-probe nd_syscall.getpgrp.return = kernel.function("sys_getpgrp").return ? {
+probe nd_syscall.getpgrp.return = kprobe.function("sys_getpgrp").return ?
+{
name = "getpgrp"
retstr = returnstr(1)
}
# getpid _____________________________________________________
# long sys_getpid(void)
-probe nd_syscall.getpid = kernel.function("sys_getpid") {
+probe nd_syscall.getpid = kprobe.function("sys_getpid")
+{
name = "getpid"
argstr = ""
}
-probe nd_syscall.getpid.return = kernel.function("sys_getpid").return {
+probe nd_syscall.getpid.return = kprobe.function("sys_getpid").return
+{
name = "getpid"
retstr = returnstr(1)
}
# getppid ____________________________________________________
# long sys_getppid(void)
-probe nd_syscall.getppid = kernel.function("sys_getppid") {
+probe nd_syscall.getppid = kprobe.function("sys_getppid")
+{
name = "getppid"
argstr = ""
}
-probe nd_syscall.getppid.return = kernel.function("sys_getppid").return {
+probe nd_syscall.getppid.return = kprobe.function("sys_getppid").return
+{
name = "getppid"
retstr = returnstr(1)
}
# getpriority ________________________________________________
# long sys_getpriority(int which, int who)
-probe nd_syscall.getpriority = kernel.function("sys_getpriority") {
+probe nd_syscall.getpriority = kprobe.function("sys_getpriority")
+{
name = "getpriority"
- which = $which
- who = $who
+ // which = $which
+ // who = $who
+ asmlinkage()
+ which = int_arg(1)
+ who = int_arg(2)
argstr = sprintf("%s, %d", _priority_which_str(which), who)
}
-probe nd_syscall.getpriority.return = kernel.function("sys_getpriority").return {
+probe nd_syscall.getpriority.return = kprobe.function("sys_getpriority").return
+{
name = "getpriority"
retstr = returnstr(1)
}
@@ -1614,19 +1876,22 @@ probe nd_syscall.getpriority.return = kernel.function("sys_getpriority").return
# long sys_getresgid16(old_uid_t __user *rgid,
# old_uid_t __user *egid,
# old_uid_t __user *sgid)
-probe nd_syscall.getresgid =
- kernel.function("sys_getresgid16") ?,
- kernel.function("sys_getresgid")
+probe nd_syscall.getresgid = kprobe.function("sys_getresgid16") ?,
+ kprobe.function("sys_getresgid")
{
name = "getresgid"
- rgid_uaddr = $rgid
- egid_uaddr = $egid
- sgid_uaddr = $sgid
- argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid)
+ // rgid_uaddr = $rgid
+ // egid_uaddr = $egid
+ // sgid_uaddr = $sgid
+ // argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid)
+ asmlinkage()
+ rgid_uaddr = pointer_arg(1)
+ egid_uaddr = pointer_arg(2)
+ sgid_uaddr = pointer_arg(3)
+ argstr = sprintf("%p, %p, %p", rgid_uaddr, egid_uaddr, sgid_uaddr)
}
-probe nd_syscall.getresgid.return =
- kernel.function("sys_getresgid16").return ?,
- kernel.function("sys_getresgid").return
+probe nd_syscall.getresgid.return = kprobe.function("sys_getresgid16").return ?,
+ kprobe.function("sys_getresgid").return
{
name = "getresgid"
retstr = returnstr(1)
@@ -1636,19 +1901,22 @@ probe nd_syscall.getresgid.return =
# long sys_getresuid(uid_t __user *ruid,
# uid_t __user *euid,
# uid_t __user *suid)
-probe nd_syscall.getresuid =
- kernel.function("sys_getresuid16") ?,
- kernel.function("sys_getresuid")
+probe nd_syscall.getresuid = kprobe.function("sys_getresuid16") ?,
+ kprobe.function("sys_getresuid")
{
name = "getresuid"
- ruid_uaddr = $ruid
- euid_uaddr = $euid
- suid_uaddr = $suid
- argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid)
+ // ruid_uaddr = $ruid
+ // euid_uaddr = $euid
+ // suid_uaddr = $suid
+ // argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid)
+ asmlinkage()
+ ruid_uaddr = pointer_arg(1)
+ euid_uaddr = pointer_arg(2)
+ suid_uaddr = pointer_arg(3)
+ argstr = sprintf("%p, %p, %p", ruid_uaddr, euid_uaddr, suid_uaddr)
}
-probe nd_syscall.getresuid.return =
- kernel.function("sys_getresuid16").return ?,
- kernel.function("sys_getresuid").return
+probe nd_syscall.getresuid.return = kprobe.function("sys_getresuid16").return ?,
+ kprobe.function("sys_getresuid").return
{
name = "getresuid"
retstr = returnstr(1)
@@ -1658,18 +1926,22 @@ probe nd_syscall.getresuid.return =
# long sys_getrlimit(unsigned int resource, struct rlimit __user *rlim)
# long sys_old_getrlimit(unsigned int resource, struct rlimit __user *rlim)
# long compat_sys_getrlimit (unsigned int resource, struct compat_rlimit __user *rlim)
-probe nd_syscall.getrlimit = kernel.function("sys_getrlimit"),
- kernel.function("sys_old_getrlimit") ?,
- kernel.function("compat_sys_getrlimit") ?
+probe nd_syscall.getrlimit = kprobe.function("sys_getrlimit"),
+ kprobe.function("sys_old_getrlimit") ?,
+ kprobe.function("compat_sys_getrlimit") ?
{
name = "getrlimit"
- resource = $resource
- rlim_uaddr = $rlim
- argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim)
+ // resource = $resource
+ // rlim_uaddr = $rlim
+ // argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim)
+ asmlinkage()
+ resource = uint_arg(1)
+ rlim_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", _rlimit_resource_str(resource), rlim_uaddr)
}
-probe nd_syscall.getrlimit.return = kernel.function("sys_getrlimit").return,
- kernel.function("sys_old_getrlimit").return ?,
- kernel.function("compat_sys_getrlimit").return ?
+probe nd_syscall.getrlimit.return = kprobe.function("sys_getrlimit").return,
+ kprobe.function("sys_old_getrlimit").return ?,
+ kprobe.function("compat_sys_getrlimit").return ?
{
name = "getrlimit"
retstr = returnstr(1)
@@ -1677,7 +1949,8 @@ probe nd_syscall.getrlimit.return = kernel.function("sys_getrlimit").return,
# getrusage __________________________________________________
# long sys_getrusage(int who, struct rusage __user *ru)
-probe nd_syscall.getrusage = kernel.function("sys_getrusage") {
+probe nd_syscall.getrusage = kprobe.function("sys_getrusage")
+{
name = "getrusage"
// who = $who
// if($who==-2)
@@ -1704,19 +1977,24 @@ probe nd_syscall.getrusage = kernel.function("sys_getrusage") {
usage_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", who_str, usage_uaddr)
}
-probe nd_syscall.getrusage.return = kernel.function("sys_getrusage").return {
+probe nd_syscall.getrusage.return = kprobe.function("sys_getrusage").return
+{
name = "getrusage"
retstr = returnstr(1)
}
# getsid _____________________________________________________
# long sys_getsid(pid_t pid)
-probe nd_syscall.getsid = kernel.function("sys_getsid") {
+probe nd_syscall.getsid = kprobe.function("sys_getsid")
+{
name = "getsid"
- pid = $pid
+ // pid = $pid
+ asmlinkage()
+ pid = int_arg(1)
argstr = sprint(pid)
}
-probe nd_syscall.getsid.return = kernel.function("sys_getsid").return {
+probe nd_syscall.getsid.return = kprobe.function("sys_getsid").return
+{
name = "getsid"
retstr = returnstr(1)
}
@@ -1725,14 +2003,21 @@ probe nd_syscall.getsid.return = kernel.function("sys_getsid").return {
# long sys_getsockname(int fd,
# struct sockaddr __user *usockaddr,
# int __user *usockaddr_len)
-probe nd_syscall.getsockname = kernel.function("sys_getsockname") ? {
+probe nd_syscall.getsockname = kprobe.function("sys_getsockname") ?
+{
name = "getsockname"
- s = $fd
- name_uaddr = $usockaddr
- namelen_uaddr = $usockaddr_len
- argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+ // s = $fd
+ // name_uaddr = $usockaddr
+ // namelen_uaddr = $usockaddr_len
+ // argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+ asmlinkage()
+ s = int_arg(1)
+ name_uaddr = pointer_arg(2)
+ namelen_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %p, %p", s, name_uaddr, namelen_uaddr)
}
-probe nd_syscall.getsockname.return = kernel.function("sys_getsockname").return ? {
+probe nd_syscall.getsockname.return = kprobe.function("sys_getsockname").return ?
+{
name = "getsockname"
retstr = returnstr(1)
}
@@ -1744,24 +2029,32 @@ probe nd_syscall.getsockname.return = kernel.function("sys_getsockname").return
# char __user *optval,
# int __user *optlen)
#
-probe nd_syscall.getsockopt =
- kernel.function("sys_getsockopt") ?,
- kernel.function("compat_sys_getsockopt") ?
+probe nd_syscall.getsockopt = kprobe.function("sys_getsockopt") ?,
+ kprobe.function("compat_sys_getsockopt") ?
{
name = "getsockopt"
- fd = $fd
- level = $level
- level_str = _sockopt_level_str($level)
- optname = $optname
- optname_str = _sockopt_optname_str($optname)
- optval_uaddr = $optval
- optlen_uaddr = $optlen
- argstr = sprintf("%d, %s, %s, %p, %p", $fd, _sockopt_level_str($level),
- _sockopt_optname_str($optname), $optval, $optlen)
-}
-probe nd_syscall.getsockopt.return =
- kernel.function("sys_getsockopt").return ?,
- kernel.function("compat_sys_getsockopt").return ?
+ // fd = $fd
+ // level = $level
+ // level_str = _sockopt_level_str($level)
+ // optname = $optname
+ // optname_str = _sockopt_optname_str($optname)
+ // optval_uaddr = $optval
+ // optlen_uaddr = $optlen
+ // argstr = sprintf("%d, %s, %s, %p, %p", $fd, _sockopt_level_str($level),
+ // _sockopt_optname_str($optname), $optval, $optlen)
+ asmlinkage()
+ fd = int_arg(1)
+ level = int_arg(2)
+ level_str = _sockopt_level_str(level)
+ optname = int_arg(3)
+ optname_str = _sockopt_optname_str(optname)
+ optval_uaddr = pointer_arg(4)
+ optlen_uaddr = pointer_arg(5)
+ argstr = sprintf("%d, %s, %s, %p, %p", fd, _sockopt_level_str(level),
+ _sockopt_optname_str(optname), optval_uaddr, optlen_uaddr)
+}
+probe nd_syscall.getsockopt.return = kprobe.function("sys_getsockopt").return ?,
+ kprobe.function("compat_sys_getsockopt").return ?
{
name = "getsockopt"
retstr = returnstr(1)
@@ -1769,11 +2062,13 @@ probe nd_syscall.getsockopt.return =
# gettid _____________________________________________________
# long sys_gettid(void)
-probe nd_syscall.gettid = kernel.function("sys_gettid") {
+probe nd_syscall.gettid = kprobe.function("sys_gettid")
+{
name = "gettid"
argstr = ""
}
-probe nd_syscall.gettid.return = kernel.function("sys_gettid").return {
+probe nd_syscall.gettid.return = kprobe.function("sys_gettid").return
+{
name = "gettid"
retstr = returnstr(1)
}
@@ -1785,21 +2080,23 @@ probe nd_syscall.gettid.return = kernel.function("sys_gettid").return {
# struct timezone __user *tz)
# long compat_sys_gettimeofday(struct compat_timeval __user *tv,
# struct timezone __user *tz)
-probe nd_syscall.gettimeofday =
- kernel.function("sys_gettimeofday"),
- kernel.function("sys32_gettimeofday") ?,
- kernel.function("compat_sys_gettimeofday") ?
+probe nd_syscall.gettimeofday = kprobe.function("sys_gettimeofday"),
+ kprobe.function("sys32_gettimeofday") ?,
+ kprobe.function("compat_sys_gettimeofday") ?
{
name = "gettimeofday"
- tv_uaddr = $tv
- tz_uaddr = $tz
- argstr = sprintf("%p, %p", $tv, $tz)
+ // tv_uaddr = $tv
+ // tz_uaddr = $tz
+ // argstr = sprintf("%p, %p", $tv, $tz)
+ asmlinkage()
+ tv_uaddr = pointer_arg(1)
+ tz_uaddr = pointer_arg(2)
+ argstr = sprintf("%p, %p", tv_uaddr, tz_uaddr)
}
-probe nd_syscall.gettimeofday.return =
- kernel.function("sys_gettimeofday").return,
- kernel.function("sys32_gettimeofday").return ?,
- kernel.function("compat_sys_gettimeofday").return ?
+probe nd_syscall.gettimeofday.return = kprobe.function("sys_gettimeofday").return,
+ kprobe.function("sys32_gettimeofday").return ?,
+ kprobe.function("compat_sys_gettimeofday").return ?
{
name = "gettimeofday"
retstr = returnstr(1)
@@ -1810,18 +2107,16 @@ probe nd_syscall.gettimeofday.return =
# long sys_getuid16(void)
# long sys32_getuid16(void)
#
-probe nd_syscall.getuid =
- kernel.function("sys_getuid16") ?,
- kernel.function("sys32_getuid16") ?,
- kernel.function("sys_getuid")
+probe nd_syscall.getuid = kprobe.function("sys_getuid16") ?,
+ kprobe.function("sys32_getuid16") ?,
+ kprobe.function("sys_getuid")
{
name = "getuid"
argstr = ""
}
-probe nd_syscall.getuid.return =
- kernel.function("sys_getuid16").return ?,
- kernel.function("sys32_getuid16").return ?,
- kernel.function("sys_getuid").return
+probe nd_syscall.getuid.return = kprobe.function("sys_getuid16").return ?,
+ kprobe.function("sys32_getuid16").return ?,
+ kprobe.function("sys_getuid").return
{
name = "getuid"
retstr = returnstr(1)
@@ -1830,19 +2125,38 @@ probe nd_syscall.getuid.return =
# getxattr ___________________________________________________
# ssize_t sys_getxattr(char __user *path, char __user *name,
# void __user *value, size_t size)
-probe nd_syscall.getxattr = kernel.function("sys_getxattr") {
+probe nd_syscall.getxattr = kprobe.function("sys_getxattr")
+{
name = "getxattr"
- path = user_string($path)
+ // %( kernel_v >= "2.6.27" %?
+ // path = user_string($pathname)
+ // %:
+ // path = user_string($path)
+ // %)
+ // name2 = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // argstr = sprintf("%s, %s, %p, %d",
+ // %( kernel_v >= "2.6.27" %?
+ // user_string_quoted($pathname),
+ // %:
+ // user_string_quoted($path),
+ // %)
+ // user_string_quoted($name),
+ // value_uaddr, size)
+ asmlinkage()
+ path = pointer_arg(1)
# FIXME
- name2 = user_string($name)
- value_uaddr = $value
- size = $size
+ name2 = user_string(pointer_arg(2))
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
argstr = sprintf("%s, %s, %p, %d",
- user_string_quoted($path),
- user_string_quoted($name),
+ user_string_quoted(path),
+ user_string_quoted(pointer_arg(2)),
value_uaddr, size)
}
-probe nd_syscall.getxattr.return = kernel.function("sys_getxattr").return {
+probe nd_syscall.getxattr.return = kprobe.function("sys_getxattr").return
+{
name = "getxattr"
retstr = returnstr(1)
}
@@ -1852,14 +2166,21 @@ probe nd_syscall.getxattr.return = kernel.function("sys_getxattr").return {
# unsigned long len,
# const char __user *uargs)
#
-probe nd_syscall.init_module = kernel.function("sys_init_module") ? {
+probe nd_syscall.init_module = kprobe.function("sys_init_module") ?
+{
name = "init_module"
- umod_uaddr = $umod
- len = $len
- uargs = user_string($uargs)
- argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs))
+ // umod_uaddr = $umod
+ // len = $len
+ // uargs = user_string($uargs)
+ // argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs))
+ asmlinkage()
+ umod_uaddr = pointer_arg(1)
+ len = ulong_arg(2)
+ uargs = user_string(pointer_arg(3))
+ argstr = sprintf("%p, %d, %s", umod_uaddr, len, user_string_quoted(pointer_arg(4)))
}
-probe nd_syscall.init_module.return = kernel.function("sys_init_module").return ? {
+probe nd_syscall.init_module.return = kprobe.function("sys_init_module").return ?
+{
name = "init_module"
retstr = returnstr(1)
}
@@ -1868,15 +2189,29 @@ probe nd_syscall.init_module.return = kernel.function("sys_init_module").return
#
# long sys_inotify_add_watch(int fd, const char __user *path, u32 mask)
#
-probe nd_syscall.inotify_add_watch = kernel.function("sys_inotify_add_watch") ? {
+probe nd_syscall.inotify_add_watch = kprobe.function("sys_inotify_add_watch") ?
+{
name = "inotify_add_watch"
- fd = $fd
- path_uaddr = $path
- path = user_string($path)
- mask = $mask
- argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($path), $mask)
+ // fd = $fd
+ // mask = $mask
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($pathname), $mask)
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($path), $mask)
+ // %)
+ asmlinkage()
+ fd = int_arg(1)
+ path_uaddr = pointer_arg(2)
+ path = user_string(path_uaddr)
+ mask = uint_arg(3)
+ argstr = sprintf("%d, %s, %d", fd, user_string_quoted(path_uaddr), mask)
}
-probe nd_syscall.inotify_add_watch.return = kernel.function("sys_inotify_add_watch").return ? {
+probe nd_syscall.inotify_add_watch.return = kprobe.function("sys_inotify_add_watch").return ?
+{
name = "inotify_add_watch"
retstr = returnstr(1)
}
@@ -1885,11 +2220,13 @@ probe nd_syscall.inotify_add_watch.return = kernel.function("sys_inotify_add_wat
#
# long sys_inotify_init(void)
#
-probe nd_syscall.inotify_init = kernel.function("sys_inotify_init") ? {
+probe nd_syscall.inotify_init = kprobe.function("sys_inotify_init") ?
+{
name = "inotify_init"
argstr = ""
}
-probe nd_syscall.inotify_init.return = kernel.function("sys_inotify_init").return ? {
+probe nd_syscall.inotify_init.return = kprobe.function("sys_inotify_init").return ?
+{
name = "inotify_init"
retstr = returnstr(1)
}
@@ -1898,13 +2235,19 @@ probe nd_syscall.inotify_init.return = kernel.function("sys_inotify_init").retur
#
# long sys_inotify_rm_watch(int fd, u32 wd)
#
-probe nd_syscall.inotify_rm_watch = kernel.function("sys_inotify_rm_watch") ? {
+probe nd_syscall.inotify_rm_watch = kprobe.function("sys_inotify_rm_watch") ?
+{
name = "inotify_rm_watch"
- fd = $fd
- wd = $wd
- argstr = sprintf("%d, %d", $fd, $wd)
+ // fd = $fd
+ // wd = $wd
+ // argstr = sprintf("%d, %d", $fd, $wd)
+ asmlinkage()
+ fd = int_arg(1)
+ wd = uint_arg(2)
+ argstr = sprintf("%d, %d", fd, wd)
}
-probe nd_syscall.inotify_rm_watch.return = kernel.function("sys_inotify_rm_watch").return ? {
+probe nd_syscall.inotify_rm_watch.return = kprobe.function("sys_inotify_rm_watch").return ?
+{
name = "inotify_rm_watch"
retstr = returnstr(1)
}
@@ -1913,14 +2256,20 @@ probe nd_syscall.inotify_rm_watch.return = kernel.function("sys_inotify_rm_watch
# long sys_io_cancel(aio_context_t ctx_id,
# struct iocb __user *iocb,
# struct io_event __user *result)
-probe nd_syscall.io_cancel = kernel.function("sys_io_cancel") {
+probe nd_syscall.io_cancel = kprobe.function("sys_io_cancel")
+{
name = "io_cancel"
- ctx_id = $ctx_id
- iocb_uaddr = $iocb
- result_uaddr = $result
+ // ctx_id = $ctx_id
+ // iocb_uaddr = $iocb
+ // result_uaddr = $result
+ asmlinkage()
+ ctx_id = ulong_arg(1)
+ iocb_uaddr = pointer_arg(2)
+ result_uaddr = pointer_arg(3)
argstr = sprintf("%d, %p, %p", ctx_id, iocb_uaddr, result_uaddr)
}
-probe nd_syscall.io_cancel.return = kernel.function("sys_io_cancel").return {
+probe nd_syscall.io_cancel.return = kprobe.function("sys_io_cancel").return
+{
name = "io_cancel"
retstr = returnstr(1)
}
@@ -1929,19 +2278,22 @@ probe nd_syscall.io_cancel.return = kernel.function("sys_io_cancel").return {
# long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
# long compat_sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
#
-probe nd_syscall.ioctl =
- kernel.function("sys_ioctl") ?,
- kernel.function("compat_sys_ioctl") ?
+probe nd_syscall.ioctl = kprobe.function("sys_ioctl") ?,
+ kprobe.function("compat_sys_ioctl") ?
{
name = "ioctl"
- fd = $fd
- request = $cmd
- argp = $arg
- argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg)
+ // fd = $fd
+ // request = $cmd
+ // argp = $arg
+ // argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg)
+ asmlinkage()
+ fd = int_arg(1)
+ request = int_arg(2)
+ argp = ulong_arg(3)
+ argstr = sprintf("%d, %d, %p", fd, request, argp)
}
-probe nd_syscall.ioctl.return =
- kernel.function("sys_ioctl").return ?,
- kernel.function("compat_sys_ioctl").return ?
+probe nd_syscall.ioctl.return = kprobe.function("sys_ioctl").return ?,
+ kprobe.function("compat_sys_ioctl").return ?
{
name = "ioctl"
retstr = returnstr(1)
@@ -1949,12 +2301,16 @@ probe nd_syscall.ioctl.return =
# io_destroy _________________________________________________
# long sys_io_destroy(aio_context_t ctx)
-probe nd_syscall.io_destroy = kernel.function("sys_io_destroy") {
+probe nd_syscall.io_destroy = kprobe.function("sys_io_destroy")
+{
name = "io_destroy"
- ctx = $ctx
+ // ctx = $ctx
+ asmlinkage()
+ ctx = ulong_arg(1)
argstr = sprintf("%d", ctx)
}
-probe nd_syscall.io_destroy.return = kernel.function("sys_io_destroy").return {
+probe nd_syscall.io_destroy.return = kprobe.function("sys_io_destroy").return
+{
name = "io_destroy"
retstr = returnstr(1)
}
@@ -1971,23 +2327,30 @@ probe nd_syscall.io_destroy.return = kernel.function("sys_io_destroy").return {
# struct io_event __user *events,
# struct compat_timespec __user *timeout)
#
-probe nd_syscall.io_getevents =
- kernel.function("sys_io_getevents") ?,
- kernel.function("compat_sys_io_getevents") ?
+probe nd_syscall.io_getevents = kprobe.function("sys_io_getevents") ?,
+ kprobe.function("compat_sys_io_getevents") ?
{
name = "io_getevents"
- ctx_id = $ctx_id
- min_nr = $min_nr
- nr = $nr
- events_uaddr = $events
- timeout_uaddr = $timeout
- timestr = _struct_timespec_u($timeout,1)
- argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr,
- $nr, $events, $timeout, timestr)
-}
-probe nd_syscall.io_getevents.return =
- kernel.function("sys_io_getevents").return ?,
- kernel.function("compat_sys_io_getevents").return ?
+ // ctx_id = $ctx_id
+ // min_nr = $min_nr
+ // nr = $nr
+ // events_uaddr = $events
+ // timeout_uaddr = $timeout
+ // timestr = _struct_timespec_u($timeout, 1)
+ // argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr,
+ // $nr, $events, $timeout, timestr)
+ asmlinkage()
+ ctx_id = ulong_arg(1)
+ min_nr = long_arg(2)
+ nr = long_arg(3)
+ events_uaddr = pointer_arg(4)
+ timeout_uaddr = pointer_arg(5)
+ timestr = _struct_timespec_u(timeout_uaddr, 1)
+ argstr = sprintf("%d, %d, %d, %p, %p, %s", ctx_id, min_nr,
+ nr, events_uaddr, timeout_uaddr, timestr)
+}
+probe nd_syscall.io_getevents.return = kprobe.function("sys_io_getevents").return ?,
+ kprobe.function("compat_sys_io_getevents").return ?
{
name = "io_getevents"
retstr = returnstr(1)
@@ -1996,14 +2359,21 @@ probe nd_syscall.io_getevents.return =
# ioperm _____________________________________________________
# long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
#
-probe nd_syscall.ioperm = kernel.function("sys_ioperm") ? {
+probe nd_syscall.ioperm = kprobe.function("sys_ioperm") ?
+{
name = "ioperm"
- from = $from
- num = $num
- turn_on = $turn_on
- argstr = sprintf("%d, %d, %d", $from, $num, $turn_on)
+ // from = $from
+ // num = $num
+ // turn_on = $turn_on
+ // argstr = sprintf("%d, %d, %d", $from, $num, $turn_on)
+ asmlinkage()
+ from = ulong_arg(1)
+ num = ulong_arg(2)
+ turn_on = int_arg(3)
+ argstr = sprintf("%d, %d, %d", from, num, turn_on)
}
-probe nd_syscall.ioperm.return = kernel.function("sys_ioperm").return ? {
+probe nd_syscall.ioperm.return = kprobe.function("sys_ioperm").return ?
+{
name = "ioperm"
retstr = returnstr(1)
}
@@ -2011,27 +2381,39 @@ probe nd_syscall.ioperm.return = kernel.function("sys_ioperm").return ? {
# io_setup ___________________________________________________
# long sys_io_setup(unsigned nr_events, aio_context_t __user *ctxp)
#
-probe nd_syscall.io_setup = kernel.function("sys_io_setup") {
+probe nd_syscall.io_setup = kprobe.function("sys_io_setup")
+{
name = "io_setup"
- maxevents = $nr_events
- ctxp_uaddr = $ctxp
- argstr = sprintf("%d, %p", $nr_events, $ctxp)
+ // maxevents = $nr_events
+ // ctxp_uaddr = $ctxp
+ // argstr = sprintf("%d, %p", $nr_events, $ctxp)
+ asmlinkage()
+ maxevents = uint_arg(1)
+ ctxp_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", maxevents, ctxp_uaddr)
}
-probe nd_syscall.io_setup.return = kernel.function("sys_io_setup").return {
+probe nd_syscall.io_setup.return = kprobe.function("sys_io_setup").return
+{
name = "io_setup"
retstr = returnstr(1)
}
# long compat_sys_io_setup(unsigned nr_reqs, u32 __user *ctx32p)
#
-probe nd_syscall.compat_io_setup = kernel.function("compat_sys_io_setup") ? {
+probe nd_syscall.compat_io_setup = kprobe.function("compat_sys_io_setup") ?
+{
name = "io_setup"
- maxevents = $nr_reqs
- ctxp_uaddr = $ctx32p
- argstr = sprintf("%d, %p", $nr_reqs, $ctx32p)
+ // maxevents = $nr_reqs
+ // ctxp_uaddr = $ctx32p
+ // argstr = sprintf("%d, %p", $nr_reqs, $ctx32p)
+ asmlinkage()
+ maxevents = uint_arg(1)
+ ctxp_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", maxevents, ctxp_uaddr)
}
-probe nd_syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup").return ? {
+probe nd_syscall.compat_io_setup.return = kprobe.function("compat_sys_io_setup").return ?
+{
name = "io_setup"
retstr = returnstr(1)
}
@@ -2039,27 +2421,41 @@ probe nd_syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup")
# io_submit __________________________________________________
# long sys_io_submit(aio_context_t ctx_id, long nr, struct iocb __user * __user *iocbpp)
#
-probe nd_syscall.io_submit = kernel.function("sys_io_submit") {
+probe nd_syscall.io_submit = kprobe.function("sys_io_submit")
+{
name = "io_submit"
- ctx_id = $ctx_id
- nr = $nr
- iocbpp_uaddr = $iocbpp
- argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp)
+ // ctx_id = $ctx_id
+ // nr = $nr
+ // iocbpp_uaddr = $iocbpp
+ // argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp)
+ asmlinkage()
+ ctx_id = ulong_arg(1)
+ nr = long_arg(2)
+ iocbpp_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %d, %p", ctx_id, nr, iocbpp_uaddr)
}
-probe nd_syscall.io_submit.return = kernel.function("sys_io_submit").return {
+probe nd_syscall.io_submit.return = kprobe.function("sys_io_submit").return
+{
name = "io_submit"
retstr = returnstr(1)
}
# long compat_sys_io_submit(aio_context_t ctx_id, int nr, u32 __user *iocb)
#
-probe nd_syscall.compat_io_submit = kernel.function("compat_sys_io_submit") ? {
+probe nd_syscall.compat_io_submit = kprobe.function("compat_sys_io_submit") ?
+{
name = "io_submit"
- ctx_id = $ctx_id
- nr = $nr
- iocbpp_uaddr = $iocb
- argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb)
+ // ctx_id = $ctx_id
+ // nr = $nr
+ // iocbpp_uaddr = $iocb
+ // argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb)
+ asmlinkage()
+ ctx_id = ulong_arg(1)
+ nr = int_arg(2)
+ iocbpp_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %d, %p", ctx_id, nr, iocbpp_uaddr)
}
-probe nd_syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit").return ? {
+probe nd_syscall.compat_io_submit.return = kprobe.function("compat_sys_io_submit").return ?
+{
name = "io_submit"
retstr = returnstr(1)
}
@@ -2067,13 +2463,19 @@ probe nd_syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit
# ioprio_get _________________________________________________
# long sys_ioprio_get(int which, int who)
#
-probe nd_syscall.ioprio_get = kernel.function("sys_ioprio_get") ? {
+probe nd_syscall.ioprio_get = kprobe.function("sys_ioprio_get") ?
+{
name = "ioprio_get"
- which = $which
- who = $who
- argstr = sprintf("%d, %d", $which, $who)
+ // which = $which
+ // who = $who
+ // argstr = sprintf("%d, %d", $which, $who)
+ asmlinkage()
+ which = int_arg(1)
+ who = int_arg(2)
+ argstr = sprintf("%d, %d", which, who)
}
-probe nd_syscall.ioprio_get.return = kernel.function("sys_ioprio_get").return ? {
+probe nd_syscall.ioprio_get.return = kprobe.function("sys_ioprio_get").return ?
+{
name = "ioprio_get"
retstr = returnstr(1)
}
@@ -2081,14 +2483,21 @@ probe nd_syscall.ioprio_get.return = kernel.function("sys_ioprio_get").return ?
# ioprio_set _________________________________________________
# long sys_ioprio_set(int which, int who, int ioprio)
#
-probe nd_syscall.ioprio_set = kernel.function("sys_ioprio_set") ? {
+probe nd_syscall.ioprio_set = kprobe.function("sys_ioprio_set") ?
+{
name = "ioprio_set"
- which = $which
- who = $who
- ioprio = $ioprio
- argstr = sprintf("%d, %d, %d", $which, $who, $ioprio)
+ // which = $which
+ // who = $who
+ // ioprio = $ioprio
+ // argstr = sprintf("%d, %d, %d", $which, $who, $ioprio)
+ asmlinkage()
+ which = int_arg(1)
+ who = int_arg(2)
+ ioprio = int_arg(3)
+ argstr = sprintf("%d, %d, %d", which, who, ioprio)
}
-probe nd_syscall.ioprio_set.return = kernel.function("sys_ioprio_set").return ? {
+probe nd_syscall.ioprio_set.return = kprobe.function("sys_ioprio_set").return ?
+{
name = "ioprio_set"
retstr = returnstr(1)
}
@@ -2103,20 +2512,24 @@ probe nd_syscall.ioprio_set.return = kernel.function("sys_ioprio_set").return ?
# struct compat_kexec_segment __user *segments,
# unsigned long flags)
#
-probe nd_syscall.kexec_load =
- kernel.function("sys_kexec_load") ?,
- kernel.function("compat_sys_kexec_load") ?
+probe nd_syscall.kexec_load = kprobe.function("sys_kexec_load") ?,
+ kprobe.function("compat_sys_kexec_load") ?
{
name = "kexec_load"
- entry = $entry
- nr_segments = $nr_segments
- segments_uaddr = $segments
- flags = $flags
- argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags)
+ // entry = $entry
+ // nr_segments = $nr_segments
+ // segments_uaddr = $segments
+ // flags = $flags
+ // argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags)
+ asmlinkage()
+ entry = ulong_arg(1)
+ nr_segments = ulong_arg(2)
+ segments_uaddr = pointer_arg(3)
+ flags = ulong_arg(4)
+ argstr = sprintf("%p, %d, %p, %d", entry, nr_segments, segments_uaddr, flags)
}
-probe nd_syscall.kexec_load.return =
- kernel.function("sys_kexec_load").return ?,
- kernel.function("compat_sys_kexec_load").return ?
+probe nd_syscall.kexec_load.return = kprobe.function("sys_kexec_load").return ?,
+ kprobe.function("compat_sys_kexec_load").return ?
{
name = "kexec_load"
retstr = returnstr(1)
@@ -2130,17 +2543,17 @@ probe nd_syscall.kexec_load.return =
# unsigned long arg5)
# long compat_sys_keyctl(u32 option, u32 arg2, u32 arg3, u32 arg4, u32 arg5)
#
-probe nd_syscall.keyctl =
- kernel.function("sys_keyctl") ?,
- kernel.function("compat_sys_keyctl") ?
+probe nd_syscall.keyctl = kprobe.function("sys_keyctl") ?,
+ kprobe.function("compat_sys_keyctl") ?
{
name = "keyctl"
- argstr = sprintf("%d, ...", $option)
+ // argstr = sprintf("%d, ...", $option)
+ asmlinkage()
+ argstr = sprintf("%d, ...", uint_arg(1))
}
-probe nd_syscall.keyctl.return =
- kernel.function("sys_keyctl").return ?,
- kernel.function("compat_sys_keyctl").return ?
+probe nd_syscall.keyctl.return = kprobe.function("sys_keyctl").return ?,
+ kprobe.function("compat_sys_keyctl").return ?
{
name = "keyctl"
retstr = returnstr(1)
@@ -2148,13 +2561,19 @@ probe nd_syscall.keyctl.return =
# kill _______________________________________________________
# long sys_kill(int pid, int sig)
-probe nd_syscall.kill = kernel.function("sys_kill") {
+probe nd_syscall.kill = kprobe.function("sys_kill")
+{
name = "kill"
- pid = $pid
- sig = $sig
- argstr = sprintf("%d, %s", $pid, _signal_name($sig))
+ // pid = $pid
+ // sig = $sig
+ // argstr = sprintf("%d, %s", $pid, _signal_name($sig))
+ asmlinkage()
+ pid = int_arg(1)
+ sig = int_arg(2)
+ argstr = sprintf("%d, %s", pid, _signal_name(sig))
}
-probe nd_syscall.kill.return = kernel.function("sys_kill").return {
+probe nd_syscall.kill.return = kprobe.function("sys_kill").return
+{
name = "kill"
retstr = returnstr(1)
}
@@ -2162,14 +2581,21 @@ probe nd_syscall.kill.return = kernel.function("sys_kill").return {
# lchown _____________________________________________________
# long sys_lchown(const char __user * filename, uid_t user, gid_t group)
#
-probe nd_syscall.lchown = kernel.function("sys_lchown") {
+probe nd_syscall.lchown = kprobe.function("sys_lchown")
+{
name = "lchown"
- path = user_string($filename)
- owner = __int32($user)
- group = __int32($group)
- argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group)
+ // path = user_string($filename)
+ // owner = __int32($user)
+ // group = __int32($group)
+ // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ owner = __int32(uint_arg(2))
+ group = __int32(uint_arg(3))
+ argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
-probe nd_syscall.lchown.return = kernel.function("sys_lchown").return {
+probe nd_syscall.lchown.return = kprobe.function("sys_lchown").return
+{
name = "lchown"
retstr = returnstr(1)
}
@@ -2178,14 +2604,21 @@ probe nd_syscall.lchown.return = kernel.function("sys_lchown").return {
# long sys_lchown16(const char __user * filename, old_uid_t user,
# old_gid_t group)
#
-probe nd_syscall.lchown16 = kernel.function("sys_lchown16") ? {
+probe nd_syscall.lchown16 = kprobe.function("sys_lchown16") ?
+{
name = "lchown16"
- path = user_string($filename)
- owner = __short($user)
- group = __short($group)
- argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+ // path = user_string($filename)
+ // owner = __short($user)
+ // group = __short($group)
+ // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ owner = __short(uint_arg(2))
+ group = __short(uint_arg(3))
+ argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
-probe nd_syscall.lchown16.return = kernel.function("sys_lchown16").return ? {
+probe nd_syscall.lchown16.return = kprobe.function("sys_lchown16").return ?
+{
name = "lchown16"
retstr = returnstr(1)
}
@@ -2195,47 +2628,81 @@ probe nd_syscall.lchown16.return = kernel.function("sys_lchown16").return ? {
# void __user *value,
# size_t size)
#
-probe nd_syscall.lgetxattr = kernel.function("sys_lgetxattr") {
+probe nd_syscall.lgetxattr = kprobe.function("sys_lgetxattr")
+{
name = "lgetxattr"
- path = user_string($path)
+ // %( kernel_v >= "2.6.27" %?
+ // path = user_string($pathname)
+ // %:
+ // path = user_string($path)
+ // %)
+ // # FIXME
+ // name2 = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // argstr = sprintf("%s, %s, %p, %d",
+ // %( kernel_v >= "2.6.27" %?
+ // user_string_quoted($pathname),
+ // %:
+ // user_string_quoted($path),
+ // %)
+ // user_string_quoted($name),
+ // value_uaddr, size)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
# FIXME
- name2 = user_string($name)
- value_uaddr = $value
- size = $size
+ name2 = user_string(pointer_arg(2))
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
argstr = sprintf("%s, %s, %p, %d",
- user_string_quoted($path),
- user_string_quoted($name),
+ user_string_quoted(pointer_arg(1)),
+ user_string_quoted(pointer_arg(2)),
value_uaddr, size)
}
-probe nd_syscall.lgetxattr.return = kernel.function("sys_lgetxattr").return {
+probe nd_syscall.lgetxattr.return = kprobe.function("sys_lgetxattr").return
+{
name = "lgetxattr"
retstr = returnstr(1)
}
# link _______________________________________________________
# long sys_link(const char __user * oldname,
# const char __user * newname)
-probe nd_syscall.link = kernel.function("sys_link") {
+probe nd_syscall.link = kprobe.function("sys_link")
+{
name = "link"
- oldpath = user_string($oldname)
- newpath = user_string($newname)
+ // oldpath = user_string($oldname)
+ // newpath = user_string($newname)
+ // argstr = sprintf("%s, %s",
+ // user_string_quoted($oldname),
+ // user_string_quoted($newname))
+ asmlinkage()
+ oldpath = user_string(pointer_arg(1))
+ newpath = user_string(pointer_arg(2))
argstr = sprintf("%s, %s",
- user_string_quoted($oldname),
- user_string_quoted($newname))
+ user_string_quoted(pointer_arg(1)),
+ user_string_quoted(pointer_arg(2)))
}
-probe nd_syscall.link.return = kernel.function("sys_link").return {
+probe nd_syscall.link.return = kprobe.function("sys_link").return
+{
name = "link"
retstr = returnstr(1)
}
# listen _____________________________________________________
# long sys_listen(int fd, int backlog)
-probe nd_syscall.listen = kernel.function("sys_listen") ? {
+probe nd_syscall.listen = kprobe.function("sys_listen") ?
+{
name = "listen"
- sockfd = $fd
- backlog = $backlog
- argstr = sprintf("%d, %d", $fd, $backlog)
+ // sockfd = $fd
+ // backlog = $backlog
+ // argstr = sprintf("%d, %d", $fd, $backlog)
+ asmlinkage()
+ sockfd = int_arg(1)
+ backlog = int_arg(2)
+ argstr = sprintf("%d, %d", sockfd, backlog)
}
-probe nd_syscall.listen.return = kernel.function("sys_listen").return ? {
+probe nd_syscall.listen.return = kprobe.function("sys_listen").return ?
+{
name = "listen"
retstr = returnstr(1)
}
@@ -2243,15 +2710,29 @@ probe nd_syscall.listen.return = kernel.function("sys_listen").return ? {
# listxattr __________________________________________________
# ssize_t sys_listxattr(char __user *path, char __user *list, size_t size)
#
-probe nd_syscall.listxattr = kernel.function("sys_listxattr") {
+probe nd_syscall.listxattr = kprobe.function("sys_listxattr")
+{
name = "listxattr"
- path_uaddr = $path
- path = user_string($path)
- list_uaddr = $list
- size = $size
- argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+ // list_uaddr = $list
+ // size = $size
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // argstr = sprintf("%s, %p, %d", user_string_quoted($pathname), $list, $size)
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+ // %)
+ asmlinkage()
+ path_uaddr = pointer_arg(1)
+ path = user_string(path_uaddr)
+ list_uaddr = pointer_arg(2)
+ size = ulong_arg(3)
+ argstr = sprintf("%s, %p, %d", user_string_quoted(path_uaddr), list_uaddr, size)
}
-probe nd_syscall.listxattr.return = kernel.function("sys_listxattr").return {
+probe nd_syscall.listxattr.return = kprobe.function("sys_listxattr").return
+{
name = "listxattr"
retstr = returnstr(1)
}
@@ -2259,15 +2740,29 @@ probe nd_syscall.listxattr.return = kernel.function("sys_listxattr").return {
# llistxattr _________________________________________________
# ssize_t sys_llistxattr(char __user *path, char __user *list, size_t size)
#
-probe nd_syscall.llistxattr = kernel.function("sys_llistxattr") {
+probe nd_syscall.llistxattr = kprobe.function("sys_llistxattr")
+{
name = "llistxattr"
- path_uaddr = $path
- path = user_string($path)
- list_uaddr = $list
- size = $size
- argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+ // list_uaddr = $list
+ // size = $size
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // argstr = sprintf("%s, %p, %d", user_string_quoted($pathname), $list, $size)
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+ // %)
+ asmlinkage()
+ path_uaddr = pointer_arg(1)
+ path = user_string(path_uaddr)
+ list_uaddr = pointer_arg(2)
+ size = ulong_arg(3)
+ argstr = sprintf("%s, %p, %d", user_string_quoted(path_uaddr), list_uaddr, size)
}
-probe nd_syscall.llistxattr.return = kernel.function("sys_llistxattr").return {
+probe nd_syscall.llistxattr.return = kprobe.function("sys_llistxattr").return
+{
name = "llistxattr"
retstr = returnstr(1)
}
@@ -2278,18 +2773,29 @@ probe nd_syscall.llistxattr.return = kernel.function("sys_llistxattr").return {
# unsigned long offset_low,
# loff_t __user * result,
# unsigned int origin)
-probe nd_syscall.llseek = kernel.function("sys_llseek") ? {
+probe nd_syscall.llseek = kprobe.function("sys_llseek") ?
+{
name = "llseek"
- fd = $fd
- offset_high = $offset_high
- offset_low = $offset_low
- result_uaddr = $result
- whence = $origin
- whence_str = _seek_whence_str($origin)
- argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high,
- $offset_low, $result, whence_str)
-}
-probe nd_syscall.llseek.return = kernel.function("sys_llseek").return ? {
+ // fd = $fd
+ // offset_high = $offset_high
+ // offset_low = $offset_low
+ // result_uaddr = $result
+ // whence = $origin
+ // whence_str = _seek_whence_str($origin)
+ // argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high,
+ // $offset_low, $result, whence_str)
+ asmlinkage()
+ fd = int_arg(1)
+ offset_high = ulong_arg(2)
+ offset_low = ulong_arg(3)
+ result_uaddr = pointer_arg(4)
+ whence = uint_arg(5)
+ whence_str = _seek_whence_str(whence)
+ argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", fd, offset_high,
+ offset_low, result_uaddr, whence_str)
+}
+probe nd_syscall.llseek.return = kprobe.function("sys_llseek").return ?
+{
name = "llseek"
retstr = returnstr(1)
}
@@ -2297,14 +2803,21 @@ probe nd_syscall.llseek.return = kernel.function("sys_llseek").return ? {
# lookup_dcookie _____________________________________________
# long sys_lookup_dcookie(u64 cookie64, char __user * buf, size_t len)
#
-probe nd_syscall.lookup_dcookie = kernel.function("sys_lookup_dcookie") ? {
+probe nd_syscall.lookup_dcookie = kprobe.function("sys_lookup_dcookie") ?
+{
name = "lookup_dcookie"
- cookie = $cookie64
- buffer_uaddr = $buf
- len = $len
- argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len)
+ // cookie = $cookie64
+ // buffer_uaddr = $buf
+ // len = $len
+ // argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len)
+ asmlinkage()
+ cookie = ulonglong_arg(1)
+ buffer_uaddr = pointer_arg(2)
+ len = ulong_arg(3)
+ argstr = sprintf("%d, %p, %d", cookie, buffer_uaddr, len)
}
-probe nd_syscall.lookup_dcookie.return = kernel.function("sys_lookup_dcookie").return ? {
+probe nd_syscall.lookup_dcookie.return = kprobe.function("sys_lookup_dcookie").return ?
+{
name = "lookup_dcookie"
retstr = returnstr(1)
}
@@ -2312,31 +2825,53 @@ probe nd_syscall.lookup_dcookie.return = kernel.function("sys_lookup_dcookie").r
# lremovexattr _______________________________________________
# long sys_lremovexattr(char __user *path, char __user *name)
#
-probe nd_syscall.lremovexattr = kernel.function("sys_lremovexattr") {
+probe nd_syscall.lremovexattr = kprobe.function("sys_lremovexattr")
+{
name = "lremovexattr"
- path_uaddr = $path
- path = user_string($path)
- name_uaddr = $name
- name2 = user_string($name)
- argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name))
+ // name_uaddr = $name
+ // name2 = user_string($name)
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // argstr = sprintf("%s, %s", user_string_quoted($pathname), user_string_quoted($name))
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name))
+ // %)
+ asmlinkage()
+ path_uaddr = pointer_arg(1)
+ path = user_string(path_uaddr)
+ name_uaddr = pointer_arg(2)
+ name2 = user_string(name_uaddr)
+ argstr = sprintf("%s, %s", user_string_quoted(path_uaddr), user_string_quoted(name_uaddr))
}
-probe nd_syscall.lremovexattr.return = kernel.function("sys_lremovexattr").return {
+probe nd_syscall.lremovexattr.return = kprobe.function("sys_lremovexattr").return
+{
name = "lremovexattr"
retstr = returnstr(1)
}
# lseek ______________________________________________________
# off_t sys_lseek(unsigned int fd, off_t offset, unsigned int origin)
-probe nd_syscall.lseek = kernel.function("sys_lseek") {
- name = "lseek"
- fildes = $fd
-# offset = __int32($offset)
- offset = $offset
- whence = $origin
- whence_str = _seek_whence_str($origin)
- argstr = sprintf("%d, %d, %s", $fd, offset, whence_str)
-}
-probe nd_syscall.lseek.return = kernel.function("sys_lseek").return {
+probe nd_syscall.lseek = kprobe.function("sys_lseek")
+{
+ // name = "lseek"
+ // fildes = $fd
+ // # offset = __int32($offset)
+ // offset = $offset
+ // whence = $origin
+ // whence_str = _seek_whence_str($origin)
+ // argstr = sprintf("%d, %d, %s", $fd, offset, whence_str)
+ asmlinkage()
+ fildes = int_arg(1)
+ offset = long_arg(2)
+ whence = uint_arg(3)
+ whence_str = _seek_whence_str(whence)
+ argstr = sprintf("%d, %d, %s", fildes, offset, whence_str)
+}
+probe nd_syscall.lseek.return = kprobe.function("sys_lseek").return
+{
name = "lseek"
retstr = returnstr(1)
}
@@ -2348,21 +2883,44 @@ probe nd_syscall.lseek.return = kernel.function("sys_lseek").return {
# size_t size,
# int flags)
#
-probe nd_syscall.lsetxattr = kernel.function("sys_lsetxattr") {
+probe nd_syscall.lsetxattr = kprobe.function("sys_lsetxattr")
+{
name = "lsetxattr"
- path_uaddr = $path
- path = user_string($path)
- name_uaddr = $name
- name_str = user_string($name)
- value_uaddr = $value
- size = $size
- flags = $flags
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // %)
+ // name_uaddr = $name
+ // name_str = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // flags = $flags
+ // argstr = sprintf("%s, %s, %p, %d, %d",
+ // %( kernel_v >= "2.6.27" %?
+ // user_string_quoted($pathname),
+ // %:
+ // user_string_quoted($path),
+ // %)
+ // user_string_quoted($name),
+ // value_uaddr, $size, $flags)
+ asmlinkage()
+ path_uaddr = pointer_arg(1)
+ path = user_string(path_uaddr)
+ name_uaddr = pointer_arg(2)
+ name_str = user_string(name_uaddr)
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
+ flags = int_arg(5)
argstr = sprintf("%s, %s, %p, %d, %d",
- user_string_quoted($path),
- user_string_quoted($name),
- value_uaddr, $size, $flags)
+ user_string_quoted(path_uaddr),
+ user_string_quoted(name_uaddr),
+ value_uaddr, size, flags)
}
-probe nd_syscall.lsetxattr.return = kernel.function("sys_lsetxattr").return {
+probe nd_syscall.lsetxattr.return = kprobe.function("sys_lsetxattr").return
+{
name = "lsetxattr"
retstr = returnstr(1)
}
@@ -2376,26 +2934,28 @@ probe nd_syscall.lsetxattr.return = kernel.function("sys_lsetxattr").return {
# long sys_oabi_lstat64(char __user * filename,
# struct oldabi_stat64 __user * statbuf)
#
-probe nd_syscall.lstat =
- kernel.function("sys_lstat") ?,
- kernel.function("sys_newlstat") ?,
- kernel.function("compat_sys_newlstat") ?,
- kernel.function("sys32_lstat64") ?,
- kernel.function("sys_lstat64") ?,
- kernel.function("sys_oabi_lstat64") ?
+probe nd_syscall.lstat = kprobe.function("sys_lstat") ?,
+ kprobe.function("sys_newlstat") ?,
+ kprobe.function("compat_sys_newlstat") ?,
+ kprobe.function("sys32_lstat64") ?,
+ kprobe.function("sys_lstat64") ?,
+ kprobe.function("sys_oabi_lstat64") ?
{
name = "lstat"
- path = user_string($filename)
- buf_uaddr = $statbuf
- argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf)
-}
-probe nd_syscall.lstat.return =
- kernel.function("sys_lstat").return ?,
- kernel.function("sys_newlstat").return ?,
- kernel.function("compat_sys_newlstat").return ?,
- kernel.function("sys32_lstat64").return ?,
- kernel.function("sys_lstat64").return ?,
- kernel.function("sys_oabi_lstat64").return ?
+ // path = user_string($filename)
+ // buf_uaddr = $statbuf
+ // argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ buf_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", user_string_quoted(pointer_arg(1)), buf_uaddr)
+}
+probe nd_syscall.lstat.return = kprobe.function("sys_lstat").return ?,
+ kprobe.function("sys_newlstat").return ?,
+ kprobe.function("compat_sys_newlstat").return ?,
+ kprobe.function("sys32_lstat64").return ?,
+ kprobe.function("sys_lstat64").return ?,
+ kprobe.function("sys_oabi_lstat64").return ?
{
name = "lstat"
retstr = returnstr(1)
@@ -2404,15 +2964,23 @@ probe nd_syscall.lstat.return =
# madvise ____________________________________________________
# long sys_madvise(unsigned long start, size_t len_in, int behavior)
#
-probe nd_syscall.madvise = kernel.function("sys_madvise") ? {
+probe nd_syscall.madvise = kprobe.function("sys_madvise") ?
+{
name = "madvise"
- start = $start
- length = $len_in
- advice = $behavior
- advice_str = _madvice_advice_str($behavior)
- argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior))
+ // start = $start
+ // length = $len_in
+ // advice = $behavior
+ // advice_str = _madvice_advice_str($behavior)
+ // argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior))
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
+ advice = int_arg(3)
+ advice_str = _madvice_advice_str(advice)
+ argstr = sprintf("%p, %d, %s", start, length, _madvice_advice_str(advice))
}
-probe nd_syscall.madvise.return = kernel.function("sys_madvise").return ? {
+probe nd_syscall.madvise.return = kprobe.function("sys_madvise").return ?
+{
name = "madvise"
retstr = returnstr(1)
}
@@ -2432,23 +3000,30 @@ probe nd_syscall.madvise.return = kernel.function("sys_madvise").return ? {
# compat_ulong_t maxnode,
# compat_ulong_t flags)
#
-probe nd_syscall.mbind =
- kernel.function("sys_mbind") ?,
- kernel.function("compat_sys_mbind") ?
+probe nd_syscall.mbind = kprobe.function("sys_mbind") ?,
+ kprobe.function("compat_sys_mbind") ?
{
name = "mbind"
- start = $start
- len = $len
- mode = $mode
- nmask_uaddr = $nmask
- maxnode = $maxnode
- flags = $flags
- argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode,
- $nmask, $maxnode, $flags)
-}
-probe nd_syscall.mbind.return =
- kernel.function("sys_mbind").return ?,
- kernel.function("compat_sys_mbind").return ?
+ // start = $start
+ // len = $len
+ // mode = $mode
+ // nmask_uaddr = $nmask
+ // maxnode = $maxnode
+ // flags = $flags
+ // argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode,
+ // $nmask, $maxnode, $flags)
+ asmlinkage()
+ start = ulong_arg(1)
+ len = long_arg(2)
+ mode = ulong_arg(3)
+ nmask_uaddr = pointer_arg(4)
+ maxnode = ulong_arg(5)
+ flags = uint_arg(6)
+ argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", start, len, mode,
+ nmask_uaddr, maxnode, flags)
+}
+probe nd_syscall.mbind.return = kprobe.function("sys_mbind").return ?,
+ kprobe.function("compat_sys_mbind").return ?
{
name = "mbind"
retstr = returnstr(1)
@@ -2458,11 +3033,15 @@ probe nd_syscall.mbind.return =
# long sys_migrate_pages(pid_t pid, unsigned long maxnode,
# const unsigned long __user *old_nodes,
# const unsigned long __user *new_nodes)
-probe nd_syscall.migrate_pages = kernel.function("sys_migrate_pages") ? {
+probe nd_syscall.migrate_pages = kprobe.function("sys_migrate_pages") ?
+{
name = "migrate_pages"
- argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes)
+ // argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %p, %p", int_arg(1), ulong_arg(2), pointer_arg(3), pointer_arg(4))
}
-probe nd_syscall.migrate_pages.return = kernel.function("sys_migrate_pages").return ? {
+probe nd_syscall.migrate_pages.return = kprobe.function("sys_migrate_pages").return ?
+{
name = "migrate_pages"
retstr = returnstr(1)
}
@@ -2470,28 +3049,42 @@ probe nd_syscall.migrate_pages.return = kernel.function("sys_migrate_pages").ret
# mincore ____________________________________________________
# long sys_mincore(unsigned long start, size_t len, unsigned char __user * vec)
#
-probe nd_syscall.mincore = kernel.function("sys_mincore") ? {
+probe nd_syscall.mincore = kprobe.function("sys_mincore") ?
+{
name = "mincore"
- start = $start
- length = $len
- vec_uaddr = $vec
- argstr = sprintf("%p, %d, %p", $start, $len, $vec)
+ // start = $start
+ // length = $len
+ // vec_uaddr = $vec
+ // argstr = sprintf("%p, %d, %p", $start, $len, $vec)
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
+ vec_uaddr = pointer_arg(3)
+ argstr = sprintf("%p, %d, %p", start, length, vec_uaddr)
}
-probe nd_syscall.mincore.return = kernel.function("sys_mincore").return ? {
+probe nd_syscall.mincore.return = kprobe.function("sys_mincore").return ?
+{
name = "mincore"
retstr = returnstr(1)
}
# mkdir ______________________________________________________
# long sys_mkdir(const char __user * pathname, int mode)
-probe nd_syscall.mkdir = kernel.function("sys_mkdir") {
+probe nd_syscall.mkdir = kprobe.function("sys_mkdir")
+{
name = "mkdir"
- pathname_uaddr = $pathname
- pathname = user_string($pathname)
- mode = $mode
- argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
+ // pathname_uaddr = $pathname
+ // pathname = user_string($pathname)
+ // mode = $mode
+ // argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
+ asmlinkage()
+ pathname_uaddr = pointer_arg(1)
+ pathname = user_string(pathname_uaddr)
+ mode = int_arg(2)
+ argstr = sprintf("%s, %#o", user_string_quoted(pathname_uaddr), mode)
}
-probe nd_syscall.mkdir.return = kernel.function("sys_mkdir").return {
+probe nd_syscall.mkdir.return = kprobe.function("sys_mkdir").return
+{
name = "mkdir"
retstr = returnstr(1)
}
@@ -2499,29 +3092,43 @@ probe nd_syscall.mkdir.return = kernel.function("sys_mkdir").return {
# mkdirat ____________________________________________________
# new function with 2.6.16
# long sys_mkdirat(int dfd, const char __user *pathname, int mode)
-probe nd_syscall.mkdirat = kernel.function("sys_mkdirat") ? {
+probe nd_syscall.mkdirat = kprobe.function("sys_mkdirat") ?
+{
name = "mkdirat"
- dirfd = $dfd
- pathname = user_string($pathname)
- mode = $mode
- argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode)
+ // dirfd = $dfd
+ // pathname = user_string($pathname)
+ // mode = $mode
+ // argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode)
+ asmlinkage()
+ dirfd = int_arg(1)
+ pathname = user_string(pointer_arg(2))
+ mode = int_arg(3)
+ argstr = sprintf("%d, %s, %#o", dirfd, user_string_quoted(pointer_arg(2)), mode)
}
-probe nd_syscall.mkdirat.return = kernel.function("sys_mkdirat").return ? {
+probe nd_syscall.mkdirat.return = kprobe.function("sys_mkdirat").return ?
+{
name = "mkdirat"
retstr = returnstr(1)
}
# mknod
# long sys_mknod(const char __user * filename, int mode, unsigned dev)
-probe nd_syscall.mknod = kernel.function("sys_mknod") {
+probe nd_syscall.mknod = kprobe.function("sys_mknod")
+{
name = "mknod"
- pathname = user_string($filename)
- mode = $mode
- dev = $dev
- argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev)
+ // pathname = user_string($filename)
+ // mode = $mode
+ // dev = $dev
+ // argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev)
+ asmlinkage()
+ pathname = user_string(pointer_arg(1))
+ mode = int_arg(2)
+ dev = uint_arg(3)
+ argstr = sprintf("%s, %s, %p", user_string_quoted(pointer_arg(1)), _mknod_mode_str(mode), dev)
}
-probe nd_syscall.mknod.return = kernel.function("sys_mknod").return {
+probe nd_syscall.mknod.return = kprobe.function("sys_mknod").return
+{
name = "mknod"
retstr = returnstr(1)
}
@@ -2530,13 +3137,19 @@ probe nd_syscall.mknod.return = kernel.function("sys_mknod").return {
#
# long sys_mlock(unsigned long start, size_t len)
#
-probe nd_syscall.mlock = kernel.function("sys_mlock") ? {
+probe nd_syscall.mlock = kprobe.function("sys_mlock") ?
+{
name = "mlock"
- addr = $start
- len = $len
- argstr = sprintf("%p, %d", $start, $len)
+ // addr = $start
+ // len = $len
+ // argstr = sprintf("%p, %d", $start, $len)
+ asmlinkage()
+ addr = ulong_arg(1)
+ len = ulong_arg(2)
+ argstr = sprintf("%p, %d", addr, len)
}
-probe nd_syscall.mlock.return = kernel.function("sys_mlock").return ? {
+probe nd_syscall.mlock.return = kprobe.function("sys_mlock").return ?
+{
name = "mlock"
retstr = returnstr(1)
}
@@ -2544,12 +3157,17 @@ probe nd_syscall.mlock.return = kernel.function("sys_mlock").return ? {
#
# long sys_mlockall(int flags)
#
-probe nd_syscall.mlockall = kernel.function("sys_mlockall") ? {
+probe nd_syscall.mlockall = kprobe.function("sys_mlockall") ?
+{
name = "mlockall"
- flags = $flags
- argstr = _mlockall_flags_str($flags)
+ // flags = $flags
+ // argstr = _mlockall_flags_str($flags)
+ asmlinkage()
+ flags = int_arg(1)
+ argstr = _mlockall_flags_str(flags)
}
-probe nd_syscall.mlockall.return = kernel.function("sys_mlockall").return ? {
+probe nd_syscall.mlockall.return = kprobe.function("sys_mlockall").return ?
+{
name = "mlockall"
retstr = returnstr(1)
}
@@ -2557,14 +3175,21 @@ probe nd_syscall.mlockall.return = kernel.function("sys_mlockall").return ? {
# modify_ldt _________________________________________________
# int sys_modify_ldt(int func, void __user *ptr, unsigned long bytecount)
#
-probe nd_syscall.modify_ldt = kernel.function("sys_modify_ldt") ? {
+probe nd_syscall.modify_ldt = kprobe.function("sys_modify_ldt") ?
+{
name = "modify_ldt"
- func = $func
- ptr_uaddr = $ptr
- bytecount = $bytecount
- argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount)
+ // func = $func
+ // ptr_uaddr = $ptr
+ // bytecount = $bytecount
+ // argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount)
+ asmlinkage()
+ func = int_arg(1)
+ ptr_uaddr = pointer_arg(2)
+ bytecount = ulong_arg(3)
+ argstr = sprintf("%d, %p, %d", func, ptr_uaddr, bytecount)
}
-probe nd_syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ? {
+probe nd_syscall.modify_ldt.return = kprobe.function("sys_modify_ldt").return ?
+{
name = "modify_ldt"
retstr = returnstr(1)
}
@@ -2582,16 +3207,16 @@ probe nd_syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ?
# int __user *status,
# int flags)
#
-probe nd_syscall.move_pages =
- kernel.function("sys_move_pages") ?,
- kernel.function("compat_sys_move_pages") ?
+probe nd_syscall.move_pages = kprobe.function("sys_move_pages") ?,
+ kprobe.function("compat_sys_move_pages") ?
{
name = "move_pages"
- argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags)
+ // argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %p, %p, 0x%x", int_arg(1), ulong_arg(2), pointer_arg(4), pointer_arg(5), int_arg(6))
}
-probe nd_syscall.move_pages.return =
- kernel.function("sys_move_pages").return ?,
- kernel.function("compat_sys_move_pages").return ?
+probe nd_syscall.move_pages.return = kprobe.function("sys_move_pages").return ?,
+ kprobe.function("compat_sys_move_pages").return ?
{
name = "move_pages"
retstr = returnstr(1)
@@ -2608,26 +3233,36 @@ probe nd_syscall.move_pages.return =
# char __user * type,
# unsigned long flags,
# void __user * data)
-probe nd_syscall.mount =
- kernel.function("sys_mount"),
- kernel.function("compat_sys_mount") ?
+probe nd_syscall.mount = kprobe.function("sys_mount"),
+ kprobe.function("compat_sys_mount") ?
{
name = "mount"
- source = user_string($dev_name)
- target = user_string($dir_name)
- filesystemtype = user_string($type)
- mountflags = $flags
- mountflags_str = _mountflags_str($flags)
- data = text_strn(user_string($data),syscall_string_trunc,1)
+ // source = user_string($dev_name)
+ // target = user_string($dir_name)
+ // filesystemtype = user_string($type)
+ // mountflags = $flags
+ // mountflags_str = _mountflags_str($flags)
+ // data = text_strn(user_string($data), syscall_string_trunc, 1)
+ // argstr = sprintf("%s, %s, %s, %s, %s",
+ // user_string_quoted($dev_name),
+ // user_string_quoted($dir_name),
+ // user_string_quoted($type),
+ // mountflags_str, data)
+ asmlinkage()
+ source = user_string(pointer_arg(1))
+ target = user_string(pointer_arg(2))
+ filesystemtype = user_string(pointer_arg(3))
+ mountflags = ulong_arg(4)
+ mountflags_str = _mountflags_str(mountflags)
+ data = text_strn(user_string(pointer_arg(5)), syscall_string_trunc, 1)
argstr = sprintf("%s, %s, %s, %s, %s",
- user_string_quoted($dev_name),
- user_string_quoted($dir_name),
- user_string_quoted($type),
+ user_string_quoted(pointer_arg(1)),
+ user_string_quoted(pointer_arg(2)),
+ user_string_quoted(pointer_arg(3)),
mountflags_str, data)
}
-probe nd_syscall.mount.return =
- kernel.function("sys_mount").return,
- kernel.function("compat_sys_mount").return ?
+probe nd_syscall.mount.return = kprobe.function("sys_mount").return,
+ kprobe.function("compat_sys_mount").return ?
{
name = "mount"
retstr = returnstr(1)
@@ -2636,15 +3271,23 @@ probe nd_syscall.mount.return =
# mprotect ___________________________________________________
# long sys_mprotect(unsigned long start, size_t len, unsigned long prot)
#
-probe nd_syscall.mprotect = kernel.function("sys_mprotect") ? {
+probe nd_syscall.mprotect = kprobe.function("sys_mprotect") ?
+{
name = "mprotect"
- addr = $start
- len = $len
- prot = $prot
- prot_str = _mprotect_prot_str($prot)
- argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot))
+ // addr = $start
+ // len = $len
+ // prot = $prot
+ // prot_str = _mprotect_prot_str($prot)
+ // argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot))
+ asmlinkage()
+ addr = ulong_arg(1)
+ len = ulong_arg(2)
+ prot = ulong_arg(3)
+ prot_str = _mprotect_prot_str(prot)
+ argstr = sprintf("%p, %d, %s", addr, len, _mprotect_prot_str(prot))
}
-probe nd_syscall.mprotect.return = kernel.function("sys_mprotect").return ? {
+probe nd_syscall.mprotect.return = kprobe.function("sys_mprotect").return ?
+{
name = "mprotect"
retstr = returnstr(1)
}
@@ -2657,19 +3300,22 @@ probe nd_syscall.mprotect.return = kernel.function("sys_mprotect").return ? {
# const struct compat_mq_attr __user *u_mqstat,
# struct compat_mq_attr __user *u_omqstat)
#
-probe nd_syscall.mq_getsetattr =
- kernel.function("sys_mq_getsetattr") ?,
- kernel.function("compat_sys_mq_getsetattr") ?
+probe nd_syscall.mq_getsetattr = kprobe.function("sys_mq_getsetattr") ?,
+ kprobe.function("compat_sys_mq_getsetattr") ?
{
name = "mq_getsetattr"
- mqdes = $mqdes
- u_mqstat_uaddr = $u_mqstat
- u_omqstat_uaddr = $u_omqstat
- argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat)
+ // mqdes = $mqdes
+ // u_mqstat_uaddr = $u_mqstat
+ // u_omqstat_uaddr = $u_omqstat
+ // argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat)
+ asmlinkage()
+ mqdes = int_arg(1)
+ u_mqstat_uaddr = pointer_arg(2)
+ u_omqstat_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %p, %p", mqdes, u_mqstat_uaddr, u_omqstat_uaddr)
}
-probe nd_syscall.mq_getsetattr.return =
- kernel.function("sys_mq_getsetattr").return ?,
- kernel.function("compat_sys_mq_getsetattr").return ?
+probe nd_syscall.mq_getsetattr.return = kprobe.function("sys_mq_getsetattr").return ?,
+ kprobe.function("compat_sys_mq_getsetattr").return ?
{
name = "mq_getsetattr"
retstr = returnstr(1)
@@ -2679,18 +3325,20 @@ probe nd_syscall.mq_getsetattr.return =
# long sys_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)
# long compat_sys_mq_notify(mqd_t mqdes, const struct compat_sigevent __user *u_notification)
#
-probe nd_syscall.mq_notify =
- kernel.function("sys_mq_notify") ?,
- kernel.function("compat_sys_mq_notify") ?
+probe nd_syscall.mq_notify = kprobe.function("sys_mq_notify") ?,
+ kprobe.function("compat_sys_mq_notify") ?
{
name = "mq_notify"
- mqdes = $mqdes
- notification_uaddr = $u_notification
- argstr = sprintf("%d, %p", $mqdes, $u_notification)
+ // mqdes = $mqdes
+ // notification_uaddr = $u_notification
+ // argstr = sprintf("%d, %p", $mqdes, $u_notification)
+ asmlinkage()
+ mqdes = int_arg(1)
+ notification_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", mqdes, notification_uaddr)
}
-probe nd_syscall.mq_notify.return =
- kernel.function("sys_mq_notify").return ?,
- kernel.function("compat_sys_mq_notify").return ?
+probe nd_syscall.mq_notify.return = kprobe.function("sys_mq_notify").return ?,
+ kprobe.function("compat_sys_mq_notify").return ?
{
name = "mq_notify"
retstr = returnstr(1)
@@ -2705,9 +3353,8 @@ probe nd_syscall.mq_notify.return =
# int oflag, compat_mode_t mode,
# struct compat_mq_attr __user *u_attr)
#
-probe nd_syscall.mq_open =
- kernel.function("sys_mq_open") ?,
- kernel.function("compat_sys_mq_open") ?
+probe nd_syscall.mq_open = kprobe.function("sys_mq_open") ?,
+ kprobe.function("compat_sys_mq_open") ?
{
name = "mq_open"
// name_uaddr = $u_name
@@ -2733,9 +3380,8 @@ probe nd_syscall.mq_open =
else
argstr = sprintf("%s, %s", user_string_quoted(name_uaddr), _sys_open_flag_str(oflag))
}
-probe nd_syscall.mq_open.return =
- kernel.function("sys_mq_open").return ?,
- kernel.function("compat_sys_mq_open").return ?
+probe nd_syscall.mq_open.return = kprobe.function("sys_mq_open").return ?,
+ kprobe.function("compat_sys_mq_open").return ?
{
name = "mq_open"
retstr = returnstr(1)
@@ -2752,22 +3398,28 @@ probe nd_syscall.mq_open.return =
# size_t msg_len, unsigned int __user *u_msg_prio,
# const struct compat_timespec __user *u_abs_timeout)
#
-probe nd_syscall.mq_timedreceive =
- kernel.function("sys_mq_timedreceive") ?,
- kernel.function("compat_sys_mq_timedreceive") ?
+probe nd_syscall.mq_timedreceive = kprobe.function("sys_mq_timedreceive") ?,
+ kprobe.function("compat_sys_mq_timedreceive") ?
{
name = "mq_timedreceive"
- mqdes = $mqdes
- msg_ptr_uaddr = $u_msg_ptr
- msg_len = $msg_len
- msg_prio_uaddr = $u_msg_prio
- abs_timout_uaddr = $u_abs_timeout
- argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len,
- $u_msg_prio, $u_abs_timeout)
-}
-probe nd_syscall.mq_timedreceive.return =
- kernel.function("sys_mq_timedreceive").return ?,
- kernel.function("compat_sys_mq_timedreceive").return ?
+ // mqdes = $mqdes
+ // msg_ptr_uaddr = $u_msg_ptr
+ // msg_len = $msg_len
+ // msg_prio_uaddr = $u_msg_prio
+ // abs_timout_uaddr = $u_abs_timeout
+ // argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len,
+ // $u_msg_prio, $u_abs_timeout)
+ asmlinkage()
+ mqdes = int_arg(1)
+ msg_ptr_uaddr = pointer_arg(2)
+ msg_len = ulong_arg(3)
+ msg_prio_uaddr = pointer_arg(4)
+ abs_timeout_uaddr = pointer_arg(5)
+ argstr = sprintf("%d, %p, %d, %p, %p", mqdes, msg_ptr_uaddr, msg_len,
+ msg_prio_uaddr, abs_timeout_uaddr)
+}
+probe nd_syscall.mq_timedreceive.return = kprobe.function("sys_mq_timedreceive").return ?,
+ kprobe.function("compat_sys_mq_timedreceive").return ?
{
name = "mq_timedreceive"
retstr = returnstr(1)
@@ -2784,22 +3436,28 @@ probe nd_syscall.mq_timedreceive.return =
# size_t msg_len, unsigned int msg_prio,
# const struct compat_timespec __user *u_abs_timeout)
#
-probe nd_syscall.mq_timedsend =
- kernel.function("sys_mq_timedsend") ?,
- kernel.function("compat_sys_mq_timedsend") ?
+probe nd_syscall.mq_timedsend = kprobe.function("sys_mq_timedsend") ?,
+ kprobe.function("compat_sys_mq_timedsend") ?
{
name = "mq_timedsend"
- mqdes = $mqdes
- msg_ptr_uaddr = $u_msg_ptr
- msg_len = $msg_len
- msg_prio = $msg_prio
- abs_timeout_uaddr = $u_abs_timeout
- argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len,
- $msg_prio, $u_abs_timeout)
-}
-probe nd_syscall.mq_timedsend.return =
- kernel.function("sys_mq_timedsend").return ?,
- kernel.function("compat_sys_mq_timedsend").return ?
+ // mqdes = $mqdes
+ // msg_ptr_uaddr = $u_msg_ptr
+ // msg_len = $msg_len
+ // msg_prio = $msg_prio
+ // abs_timeout_uaddr = $u_abs_timeout
+ // argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len,
+ // $msg_prio, $u_abs_timeout)
+ asmlinkage()
+ mqdes = int_arg(1)
+ msg_ptr_uaddr = pointer_arg(2)
+ msg_len = ulong_arg(3)
+ msg_prio = uint_arg(4)
+ abs_timeout_uaddr = pointer_arg(5)
+ argstr = sprintf("%d, %p, %d, %d, %p", mqdes, msg_ptr_uaddr, msg_len,
+ msg_prio, abs_timeout_uaddr)
+}
+probe nd_syscall.mq_timedsend.return = kprobe.function("sys_mq_timedsend").return ?,
+ kprobe.function("compat_sys_mq_timedsend").return ?
{
name = "mq_timedsend"
retstr = returnstr(1)
@@ -2808,13 +3466,19 @@ probe nd_syscall.mq_timedsend.return =
# mq_unlink __________________________________________________
# long sys_mq_unlink(const char __user *u_name)
#
-probe nd_syscall.mq_unlink = kernel.function("sys_mq_unlink") ? {
+probe nd_syscall.mq_unlink = kprobe.function("sys_mq_unlink") ?
+{
name = "mq_unlink"
- u_name_uaddr = $u_name
- u_name = user_string($u_name)
- argstr = user_string_quoted($u_name)
+ // u_name_uaddr = $u_name
+ // u_name = user_string($u_name)
+ // argstr = user_string_quoted($u_name)
+ asmlinkage()
+ u_name_uaddr = pointer_arg(1)
+ u_name = user_string(u_name_uaddr)
+ argstr = user_string_quoted(u_name_uaddr)
}
-probe nd_syscall.mq_unlink.return = kernel.function("sys_mq_unlink").return ? {
+probe nd_syscall.mq_unlink.return = kprobe.function("sys_mq_unlink").return ?
+{
name = "mq_unlink"
retstr = returnstr(1)
}
@@ -2826,22 +3490,28 @@ probe nd_syscall.mq_unlink.return = kernel.function("sys_mq_unlink").return ? {
# unsigned long flags,
# unsigned long new_addr)
#
-probe nd_syscall.mremap =
- kernel.function("sys_mremap") ?,
- kernel.function("ia64_mremap") ?
+probe nd_syscall.mremap = kprobe.function("sys_mremap") ?,
+ kprobe.function("ia64_mremap") ?
{
name = "mremap"
- old_address = $addr
- old_size = $old_len
- new_size = $new_len
- flags = $flags
- new_address = $new_addr
- argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len,
- _mremap_flags($flags), $new_addr)
-}
-probe nd_syscall.mremap.return =
- kernel.function("sys_mremap").return ?,
- kernel.function("ia64_mremap").return ?
+ // old_address = $addr
+ // old_size = $old_len
+ // new_size = $new_len
+ // flags = $flags
+ // new_address = $new_addr
+ // argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len,
+ // _mremap_flags($flags), $new_addr)
+ asmlinkage()
+ old_address = ulong_arg(1)
+ old_size = ulong_arg(2)
+ new_size = ulong_arg(3)
+ flags = ulong_arg(4)
+ new_address = ulong_arg(5)
+ argstr = sprintf("%p, %d, %d, %s, %p", old_address, old_size, new_size,
+ _mremap_flags(flags), new_address)
+}
+probe nd_syscall.mremap.return = kprobe.function("sys_mremap").return ?,
+ kprobe.function("ia64_mremap").return ?
{
name = "mremap"
retstr = returnstr(2)
@@ -2850,14 +3520,21 @@ probe nd_syscall.mremap.return =
# msgctl _____________________________________________________
# long sys_msgctl (int msqid, int cmd, struct msqid_ds __user *buf)
#
-probe nd_syscall.msgctl = kernel.function("sys_msgctl") ? {
+probe nd_syscall.msgctl = kprobe.function("sys_msgctl") ?
+{
name = "msgctl"
- msqid = $msqid
- cmd = $cmd
- buf_uaddr = $buf
- argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf)
+ // msqid = $msqid
+ // cmd = $cmd
+ // buf_uaddr = $buf
+ // argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf)
+ asmlinkage()
+ msqid = int_arg(1)
+ cmd = int_arg(2)
+ buf_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %d, %p", msqid, cmd, buf_uaddr)
}
-probe nd_syscall.msgctl.return = kernel.function("sys_msgctl").return ? {
+probe nd_syscall.msgctl.return = kprobe.function("sys_msgctl").return ?
+{
name = "msgctl"
retstr = returnstr(1)
}
@@ -2865,11 +3542,15 @@ probe nd_syscall.msgctl.return = kernel.function("sys_msgctl").return ? {
#
# long compat_sys_msgctl(int first, int second, void __user *uptr)
#
-probe nd_syscall.compat_sys_msgctl = kernel.function("compat_sys_msgctl") ? {
+probe nd_syscall.compat_sys_msgctl = kprobe.function("compat_sys_msgctl") ?
+{
name = "compat_sys_msgctl"
- argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
+ // argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %p", int_arg(1), int_arg(2), pointer_arg(3))
}
-probe nd_syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl").return ? {
+probe nd_syscall.compat_sys_msgctl.return = kprobe.function("compat_sys_msgctl").return ?
+{
name = "compat_sys_msgctl"
retstr = returnstr(1)
}
@@ -2877,14 +3558,21 @@ probe nd_syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl")
# msgget _____________________________________________________
# long sys_msgget (key_t key, int msgflg)
#
-probe nd_syscall.msgget = kernel.function("sys_msgget") ? {
+probe nd_syscall.msgget = kprobe.function("sys_msgget") ?
+{
name = "msgget"
- key = $key
- msgflg = $msgflg
- msgflg_str = _sys_open_flag_str($msgflg)
- argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg))
+ // key = $key
+ // msgflg = $msgflg
+ // msgflg_str = _sys_open_flag_str($msgflg)
+ // argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg))
+ asmlinkage()
+ key = int_arg(1)
+ msgflg = int_arg(2)
+ msgflg_str = _sys_open_flag_str(msgflg)
+ argstr = sprintf("%d, %s", key, _sys_open_flag_str(msgflg))
}
-probe nd_syscall.msgget.return = kernel.function("sys_msgget").return ? {
+probe nd_syscall.msgget.return = kprobe.function("sys_msgget").return ?
+{
name = "msgget"
retstr = returnstr(1)
}
@@ -2896,16 +3584,25 @@ probe nd_syscall.msgget.return = kernel.function("sys_msgget").return ? {
# long msgtyp,
# int msgflg)
#
-probe nd_syscall.msgrcv = kernel.function("sys_msgrcv") ? {
+probe nd_syscall.msgrcv = kprobe.function("sys_msgrcv") ?
+{
name = "msgrcv"
- msqid = $msqid
- msgp_uaddr = $msgp
- msgsz = $msgsz
- msgtyp = $msgtyp
- msgflg = $msgflg
- argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg)
-}
-probe nd_syscall.msgrcv.return = kernel.function("sys_msgrcv").return ? {
+ // msqid = $msqid
+ // msgp_uaddr = $msgp
+ // msgsz = $msgsz
+ // msgtyp = $msgtyp
+ // msgflg = $msgflg
+ // argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg)
+ asmlinkage()
+ msqid = int_arg(1)
+ msgp_uaddr = pointer_arg(2)
+ msgsz = ulong_arg(3)
+ msgtyp = long_arg(4)
+ msgflg = int_arg(5)
+ argstr = sprintf("%d, %p, %d, %d, %d", msqid, msgp_uaddr, msgsz, msgtyp, msgflg)
+}
+probe nd_syscall.msgrcv.return = kprobe.function("sys_msgrcv").return ?
+{
name = "msgrcv"
retstr = returnstr(1)
}
@@ -2914,11 +3611,15 @@ probe nd_syscall.msgrcv.return = kernel.function("sys_msgrcv").return ? {
# long compat_sys_msgrcv(int first, int second, int msgtyp, int third,
# int version, void __user *uptr)
#
-probe nd_syscall.compat_sys_msgrcv = kernel.function("compat_sys_msgrcv") ? {
+probe nd_syscall.compat_sys_msgrcv = kprobe.function("compat_sys_msgrcv") ?
+{
name = "compat_sys_msgrcv"
- argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+ // argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %d, %p", int_arg(1), int_arg(2), int_arg(3), pointer_arg(5))
}
-probe nd_syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv").return ? {
+probe nd_syscall.compat_sys_msgrcv.return = kprobe.function("compat_sys_msgrcv").return ?
+{
name = "compat_sys_msgrcv"
retstr = returnstr(1)
}
@@ -2929,15 +3630,23 @@ probe nd_syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv")
# size_t msgsz,
# int msgflg)
#
-probe nd_syscall.msgsnd = kernel.function("sys_msgsnd") ? {
+probe nd_syscall.msgsnd = kprobe.function("sys_msgsnd") ?
+{
name = "msgsnd"
- msqid = $msqid
- msgp_uaddr = $msgp
- msgsz = $msgsz
- msgflg = $msgflg
- argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg)
+ // msqid = $msqid
+ // msgp_uaddr = $msgp
+ // msgsz = $msgsz
+ // msgflg = $msgflg
+ // argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg)
+ asmlinkage()
+ msqid = int_arg(1)
+ msgp_uaddr = pointer_arg(2)
+ msgsz = ulong_arg(3)
+ msgflg = int_arg(4)
+ argstr = sprintf("%d, %p, %d, %d", msqid, msgp_uaddr, msgsz, msgflg)
}
-probe nd_syscall.msgsnd.return = kernel.function("sys_msgsnd").return ? {
+probe nd_syscall.msgsnd.return = kprobe.function("sys_msgsnd").return ?
+{
name = "msgsnd"
retstr = returnstr(1)
}
@@ -2945,62 +3654,84 @@ probe nd_syscall.msgsnd.return = kernel.function("sys_msgsnd").return ? {
#
# long compat_sys_msgsnd(int first, int second, int third, void __user *uptr)
#
-probe nd_syscall.compat_sys_msgsnd = kernel.function("compat_sys_msgsnd") ? {
+probe nd_syscall.compat_sys_msgsnd = kprobe.function("compat_sys_msgsnd") ?
+{
name = "compat_sys_msgsnd"
- argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+ // argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %d, %p", int_arg(1), int_arg(2), int_arg(3), pointer_arg(4))
}
-probe nd_syscall.compat_sys_msgsnd.return = kernel.function("compat_sys_msgsnd").return ? {
+probe nd_syscall.compat_sys_msgsnd.return = kprobe.function("compat_sys_msgsnd").return ?
+{
name = "compat_sys_msgsnd"
retstr = returnstr(1)
}
# msync ______________________________________________________
# long sys_msync(unsigned long start, size_t len, int flags)
-probe nd_syscall.msync = kernel.function("sys_msync") ? {
+probe nd_syscall.msync = kprobe.function("sys_msync") ?
+{
name = "msync"
- start = $start
- length = $len
- flags = $flags
- argstr = sprintf("%p, %d, %s",start, length, _msync_flag_str(flags))
+ // start = $start
+ // length = $len
+ // flags = $flags
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
+ flags = int_arg(3)
+ argstr = sprintf("%p, %d, %s", start, length, _msync_flag_str(flags))
}
-probe nd_syscall.msync.return = kernel.function("sys_msync").return ? {
+probe nd_syscall.msync.return = kprobe.function("sys_msync").return ?
+{
name = "msync"
retstr = returnstr(1)
}
# munlock ____________________________________________________
# long sys_munlock(unsigned long start, size_t len)
-probe nd_syscall.munlock = kernel.function("sys_munlock") ? {
+probe nd_syscall.munlock = kprobe.function("sys_munlock") ?
+{
name = "munlock"
- addr = $start
- len = $len
+ // addr = $start
+ // len = $len
+ asmlinkage()
+ addr = ulong_arg(1)
+ len = ulong_arg(2)
argstr = sprintf("%p, %d", addr, len)
}
-probe nd_syscall.munlock.return = kernel.function("sys_munlock").return ? {
+probe nd_syscall.munlock.return = kprobe.function("sys_munlock").return ?
+{
name = "munlock"
retstr = returnstr(1)
}
# munlockall _________________________________________________
# long sys_munlockall(void)
-probe nd_syscall.munlockall = kernel.function("sys_munlockall") ? {
+probe nd_syscall.munlockall = kprobe.function("sys_munlockall") ?
+{
name = "munlockall"
argstr = ""
}
-probe nd_syscall.munlockall.return = kernel.function("sys_munlockall").return ? {
+probe nd_syscall.munlockall.return = kprobe.function("sys_munlockall").return ?
+{
name = "munlockall"
retstr = returnstr(1)
}
# munmap _____________________________________________________
# long sys_munmap(unsigned long addr, size_t len)
-probe nd_syscall.munmap = kernel.function("sys_munmap") {
+probe nd_syscall.munmap = kprobe.function("sys_munmap")
+{
name = "munmap"
- start = $addr
- length = $len
+ // start = $addr
+ // length = $len
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
argstr = sprintf("%p, %d", start, length)
}
-probe nd_syscall.munmap.return = kernel.function("sys_munmap").return {
+probe nd_syscall.munmap.return = kprobe.function("sys_munmap").return
+{
name = "munmap"
retstr = returnstr(1)
}
--
1.5.6.5
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] Complete the names-to-numbers conversion in nd_syscalls.stp.
2009-05-17 19:09 [PATCH] Complete the names-to-numbers conversion in nd_syscalls.stp Przemyslaw Pawelczyk
@ 2009-05-18 4:49 ` Ananth N Mavinakayanahalli
2009-05-18 23:56 ` Josh Stone
1 sibling, 0 replies; 6+ messages in thread
From: Ananth N Mavinakayanahalli @ 2009-05-18 4:49 UTC (permalink / raw)
To: Przemyslaw Pawelczyk; +Cc: systemtap
On Sun, May 17, 2009 at 08:09:34PM +0200, Przemyslaw Pawelczyk wrote:
> Replace in-scope variables references with *_arg functions. Use 'kprobe'
> family of probes instead of 'kernel' family for dwarfless probing. Also
> fix a few typos and unify formatting.
Thanks for the work! But there is more to be done -- especially since
many 64bit architectures are migrating to HAVE_SYSCALL_WRAPPERS. This
needs further change (like in syscalls[2].stp) to accomodate SyS_* style
conventions.
Ananth
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] Complete the names-to-numbers conversion in nd_syscalls.stp.
2009-05-17 19:09 [PATCH] Complete the names-to-numbers conversion in nd_syscalls.stp Przemyslaw Pawelczyk
2009-05-18 4:49 ` Ananth N Mavinakayanahalli
@ 2009-05-18 23:56 ` Josh Stone
2009-05-19 0:32 ` Przemysław Pawełczyk
1 sibling, 1 reply; 6+ messages in thread
From: Josh Stone @ 2009-05-18 23:56 UTC (permalink / raw)
To: Przemyslaw Pawelczyk; +Cc: systemtap
On 05/17/2009 11:09 AM, Przemyslaw Pawelczyk wrote:
> Replace in-scope variables references with *_arg functions. Use 'kprobe'
> family of probes instead of 'kernel' family for dwarfless probing. Also
> fix a few typos and unify formatting.
Thanks a lot -- this is good work! I went ahead and committed this to
the repo, but I would ask for a couple more things before we declare
this "complete". First, as Ananth pointed out, we will eventually need
to deal with the SYSCALL_WRAPPERS for some archs. Second is that we now
need to start nd_syscalls2.stp to get the full syscall set. Are you up
to tackling that as well?
Long term, we'll probably want to rename the dwarf syscall tapset to
something like dw_syscall, and then provide aliases like:
probe syscall.foo = dw_syscall.foo !, nd_syscall.foo {}
Josh
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] Complete the names-to-numbers conversion in nd_syscalls.stp.
2009-05-18 23:56 ` Josh Stone
@ 2009-05-19 0:32 ` Przemysław Pawełczyk
2009-05-19 16:46 ` Jim Keniston
0 siblings, 1 reply; 6+ messages in thread
From: Przemysław Pawełczyk @ 2009-05-19 0:32 UTC (permalink / raw)
To: Josh Stone; +Cc: systemtap
On Tue, May 19, 2009 at 01:55, Josh Stone <jistone@redhat.com> wrote:
> On 05/17/2009 11:09 AM, Przemyslaw Pawelczyk wrote:
>> Replace in-scope variables references with *_arg functions. Use 'kprobe'
>> family of probes instead of 'kernel' family for dwarfless probing. Also
>> fix a few typos and unify formatting.
>
> Thanks a lot -- this is good work! I went ahead and committed this to
> the repo, but I would ask for a couple more things before we declare
> this "complete". First, as Ananth pointed out, we will eventually need
> to deal with the SYSCALL_WRAPPERS for some archs. Second is that we now
> need to start nd_syscalls2.stp to get the full syscall set. Are you up
> to tackling that as well?
Yes, this patch isn't complete, but information that I'll prepare
second version was mistakenly sent only to Ananth instead of mailing
list.
Information about future second patch:
- include fix for architectures using SYSCALL_WRAPPERS,
- add missing probe points (already available in syscalls.stp:
faccessat, fchmodat, fchownat, linkat, mknodat),
- remove return aliases for exit and exit_group (PR6588).
I'm theoretically up to tackle nd_syscalls2.stp, but without any
deadline and as a low priority task.
Conversion from syscalls2?.stp to nd_syscalls2?.stp should be a fully
automatic process, but there is no appropriate script right now.
(Automated generation of syscalls.stp also would be a nice thing.)
Focusing on such a script is IMHO better, but on the other hand it is
one time job. Syscall changes in kernel are rare and further syscalls
modifications will be easily applied by hand.
> Long term, we'll probably want to rename the dwarf syscall tapset to
> something like dw_syscall, and then provide aliases like:
> probe syscall.foo = dw_syscall.foo !, nd_syscall.foo {}
Sounds good for me.
> Josh
Regards.
--
Przemysław Pawełczyk
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] Complete the names-to-numbers conversion in nd_syscalls.stp.
2009-05-19 0:32 ` Przemysław Pawełczyk
@ 2009-05-19 16:46 ` Jim Keniston
2009-05-22 22:07 ` JoeLynn Keniston
0 siblings, 1 reply; 6+ messages in thread
From: Jim Keniston @ 2009-05-19 16:46 UTC (permalink / raw)
To: Przemysław Pawełczyk
Cc: Josh Stone, systemtap, JoeLynn_gmail Keniston
On Tue, 2009-05-19 at 02:32 +0200, Przemysław Pawełczyk wrote:
> On Tue, May 19, 2009 at 01:55, Josh Stone <jistone@redhat.com> wrote:
> > On 05/17/2009 11:09 AM, Przemyslaw Pawelczyk wrote:
> >> Replace in-scope variables references with *_arg functions. Use 'kprobe'
> >> family of probes instead of 'kernel' family for dwarfless probing. Also
> >> fix a few typos and unify formatting.
> >
> > Thanks a lot -- this is good work! I went ahead and committed this to
> > the repo, but I would ask for a couple more things before we declare
> > this "complete". First, as Ananth pointed out, we will eventually need
> > to deal with the SYSCALL_WRAPPERS for some archs. Second is that we now
> > need to start nd_syscalls2.stp to get the full syscall set. Are you up
> > to tackling that as well?
>
> Yes, this patch isn't complete, but information that I'll prepare
> second version was mistakenly sent only to Ananth instead of mailing
> list.
> Information about future second patch:
> - include fix for architectures using SYSCALL_WRAPPERS,
> - add missing probe points (already available in syscalls.stp:
> faccessat, fchmodat, fchownat, linkat, mknodat),
> - remove return aliases for exit and exit_group (PR6588).
>
> I'm theoretically up to tackle nd_syscalls2.stp, but without any
> deadline and as a low priority task.
> Conversion from syscalls2?.stp to nd_syscalls2?.stp should be a fully
> automatic process, but there is no appropriate script right now.
> (Automated generation of syscalls.stp also would be a nice thing.)
> Focusing on such a script is IMHO better, but on the other hand it is
> one time job. Syscall changes in kernel are rare and further syscalls
> modifications will be easily applied by hand.
>
> > Long term, we'll probably want to rename the dwarf syscall tapset to
> > something like dw_syscall, and then provide aliases like:
> > probe syscall.foo = dw_syscall.foo !, nd_syscall.foo {}
>
> Sounds good for me.
>
> > Josh
>
> Regards.
>
JoeLynn Keniston implemented both nd_syscalls.stp and nd_syscalls2.stp
last summer. Except for differences in spacing and line breaks, her
nd_syscalls.stp looks very close to yours. I'm not sure I ever
completed my code review of nd_syscalls2.stp. Unfortunately, support
for dwarfless probing was backed out of the translator just about the
time she was finishing this work, so testing became a problem and we
shelved the project.
Since she's not an IBMer, I was not (and am not) able to post or check
in her code on her behalf. JoeLynn, please talk to me about posting
your versions of nd_syscalls.stp (for comparison) and nd_syscalls2.stp.
BTW, we were testing it by probing syscall.*[.return] and
nd_syscall.*[.return] in the same script and verifying that each pair of
lines in the output matched.
Sorry for not closing the loop on this last summer. I know it's been a
lot of work.
Jim Keniston
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] Complete the names-to-numbers conversion in nd_syscalls.stp.
2009-05-19 16:46 ` Jim Keniston
@ 2009-05-22 22:07 ` JoeLynn Keniston
0 siblings, 0 replies; 6+ messages in thread
From: JoeLynn Keniston @ 2009-05-22 22:07 UTC (permalink / raw)
To: systemtap
2009/5/19 Jim Keniston <jkenisto@us.ibm.com>:
>
> JoeLynn Keniston implemented both nd_syscalls.stp and nd_syscalls2.stp
> last summer. Except for differences in spacing and line breaks, her
> nd_syscalls.stp looks very close to yours. I'm not sure I ever
> completed my code review of nd_syscalls2.stp. Unfortunately, support
> for dwarfless probing was backed out of the translator just about the
> time she was finishing this work, so testing became a problem and we
> shelved the project.
>
> Jim Keniston
>
Josh and Prezmyslaw received my previous email, but the mailing list rejected.
I am resending on Josh's advice.
JoeLynn Keniston
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2009-05-22 22:07 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-05-17 19:09 [PATCH] Complete the names-to-numbers conversion in nd_syscalls.stp Przemyslaw Pawelczyk
2009-05-18 4:49 ` Ananth N Mavinakayanahalli
2009-05-18 23:56 ` Josh Stone
2009-05-19 0:32 ` Przemysław Pawełczyk
2009-05-19 16:46 ` Jim Keniston
2009-05-22 22:07 ` JoeLynn Keniston
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).